Save sslEngine and use it later after the handshake is complete, to set the attribute for the hostname verifier.

kannanjgithub · kannanjgithub · commit 7941abcb3447 · 2025-01-24T13:55:29.000Z
diff --git a/examples/example-tls/build.gradle b/examples/example-tls/build.gradle
@@ -71,8 +71,6 @@ application {
     applicationDistribution.into('bin') {
         from(helloWorldTlsServer)
         from(helloWorldTlsClient)
-        filePermissions {
-            unix(0755)
-        }
+        fileMode = 0755
     }
 }
diff --git a/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java b/netty/src/main/java/io/grpc/netty/ProtocolNegotiators.java
@@ -641,6 +641,7 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     private Executor executor;
     private final Optional<Runnable> handshakeCompleteRunnable;
     private final X509TrustManager x509ExtendedTrustManager;
+    private SSLEngine sslEngine;
 
     ClientTlsHandler(ChannelHandler next, SslContext sslContext, String authority,
         Executor executor, ChannelLogger negotiationLogger,
@@ -661,19 +662,13 @@ static final class ClientTlsHandler extends ProtocolNegotiationHandler {
     @Override
     @IgnoreJRERequirement
     protected void handlerAdded0(ChannelHandlerContext ctx) {
-      SSLEngine sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
+      sslEngine = sslContext.newEngine(ctx.alloc(), host, port);
       SSLParameters sslParams = sslEngine.getSSLParameters();
       sslParams.setEndpointIdentificationAlgorithm("HTTPS");
       sslEngine.setSSLParameters(sslParams);
       ctx.pipeline().addBefore(ctx.name(), /* name= */ null, this.executor != null
           ? new SslHandler(sslEngine, false, this.executor)
           : new SslHandler(sslEngine, false));
-      ProtocolNegotiationEvent existingPne = getProtocolNegotiationEvent();
-      Attributes attrs = existingPne.getAttributes().toBuilder()
-              .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, new X509AuthorityVerifier(
-                      sslEngine, x509ExtendedTrustManager))
-              .build();
-      replaceProtocolNegotiationEvent(existingPne.withAttributes(attrs));
     }
 
     @Override
@@ -724,6 +719,8 @@ private void propagateTlsComplete(ChannelHandlerContext ctx, SSLSession session)
       Attributes attrs = existingPne.getAttributes().toBuilder()
           .set(GrpcAttributes.ATTR_SECURITY_LEVEL, SecurityLevel.PRIVACY_AND_INTEGRITY)
           .set(Grpc.TRANSPORT_ATTR_SSL_SESSION, session)
+          .set(GrpcAttributes.ATTR_AUTHORITY_VERIFIER, new X509AuthorityVerifier(
+              sslEngine, x509ExtendedTrustManager))
           .build();
       replaceProtocolNegotiationEvent(existingPne.withAttributes(attrs).withSecurity(security));
       if (handshakeCompleteRunnable.isPresent()) {

Original file line number	Diff line number	Diff line change
`@@ -71,8 +71,6 @@ application {`
`71`	`71`	`applicationDistribution.into('bin') {`
`72`	`72`	`from(helloWorldTlsServer)`
`73`	`73`	`from(helloWorldTlsClient)`
`74`		`- filePermissions {`
`75`		`- unix(0755)`
`76`		`- }`
	`74`	`+ fileMode = 0755`
`77`	`75`	`}`
`78`	`76`	`}`