credentials/tls: default GRPC_ENFORCE_ALPN_ENABLED to true (#7535)

arjan-bal · web-flow · commit 70f19eecd168 · 2024-09-04T16:54:56.000+05:30
diff --git a/credentials/credentials_test.go b/credentials/credentials_test.go
@@ -297,7 +297,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) {
 	if err != nil {
 		return nil, err
 	}
-	serverTLSConfig := &tls.Config{Certificates: []tls.Certificate{cert}}
+	serverTLSConfig := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		NextProtos:   []string{"h2"},
+	}
 	serverConn := tls.Server(conn, serverTLSConfig)
 	err = serverConn.Handshake()
 	if err != nil {
@@ -307,7 +310,10 @@ func tlsServerHandshake(conn net.Conn) (AuthInfo, error) {
 }
 
 func tlsClientHandshake(conn net.Conn, _ string) (AuthInfo, error) {
-	clientTLSConfig := &tls.Config{InsecureSkipVerify: true}
+	clientTLSConfig := &tls.Config{
+		InsecureSkipVerify: true, // NOLINT
+		NextProtos:         []string{"h2"},
+	}
 	clientConn := tls.Client(conn, clientTLSConfig)
 	if err := clientConn.Handshake(); err != nil {
 		return nil, err
diff --git a/credentials/xds/xds_client_test.go b/credentials/xds/xds_client_test.go
@@ -146,7 +146,10 @@ func testServerTLSHandshake(rawConn net.Conn) handshakeResult {
 	if err != nil {
 		return handshakeResult{err: err}
 	}
-	cfg := &tls.Config{Certificates: []tls.Certificate{cert}}
+	cfg := &tls.Config{
+		Certificates: []tls.Certificate{cert},
+		NextProtos:   []string{"h2"},
+	}
 	conn := tls.Server(rawConn, cfg)
 	if err := conn.Handshake(); err != nil {
 		return handshakeResult{err: err}
diff --git a/credentials/xds/xds_server_test.go b/credentials/xds/xds_server_test.go
@@ -66,6 +66,7 @@ func makeClientTLSConfig(t *testing.T, mTLS bool) *tls.Config {
 		// verification function. So, the server credentials tests will rely
 		// solely on the success/failure of the server-side handshake.
 		InsecureSkipVerify: true,
+		NextProtos:         []string{"h2"},
 	}
 }
 
diff --git a/internal/envconfig/envconfig.go b/internal/envconfig/envconfig.go
@@ -45,7 +45,7 @@ var (
 	// option is present for backward compatibility. This option may be overridden
 	// by setting the environment variable "GRPC_ENFORCE_ALPN_ENABLED" to "true"
 	// or "false".
-	EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", false)
+	EnforceALPNEnabled = boolFromEnv("GRPC_ENFORCE_ALPN_ENABLED", true)
 	// XDSFallbackSupport is the env variable that controls whether support for
 	// xDS fallback is turned on. If this is unset or is false, only the first
 	// xDS server in the list of server configs will be used.

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ func makeClientTLSConfig(t testing.T, mTLS bool) tls.Config {`
`66`	`66`	`// verification function. So, the server credentials tests will rely`
`67`	`67`	`// solely on the success/failure of the server-side handshake.`
`68`	`68`	`InsecureSkipVerify: true,`
	`69`	`+ NextProtos: []string{"h2"},`
`69`	`70`	`}`
`70`	`71`	`}`
`71`	`72`