Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

java.net.SocketException: Connection reset with XDS configured client

51 views
Skip to first unread message

David Vilaverde

unread,
Dec 13, 2024, 4:10:14 PM12/13/24
to grpc.io
I'm using the grpc-java client 1.69.0 with a XDS server to connect to a server that is behind another envoy cluster. The URL for the service is TLS and when I run my client, configured like this:

channelBuilder = Grpc.newChannelBuilder(target, TlsChannelCredentials.create());
// needed otherwise the TLS handshake will fail, I'm assuming 
//  due to invalid SNI name not set for TLS handskake
//
//        channelBuilder.overrideAuthority(SERVICE_URL);        
blockingStub = GeoLookupGrpc.newBlockingStub(channelBuilder.build());

If I uncomment out the call to overrideAuthority() which has the FQDN of the TLS certificate  for the GRPC service behind envoy then the call will work as expected. 

Is there a way around this so the client doesn't need to know this information and everything can be provided to the client via XDS?

Thanks
Dave

Eric Anderson

unread,
Dec 13, 2024, 4:25:54 PM12/13/24
to David Vilaverde, grpc.io
To fix the TLS handshaking problem, you can use XdsChannelCredentials which lets the xds server control the TLS configuration and hostname verification. The grpc-java xDS example demonstrates this when using --xds-creds. Using XdsChannelCredentials is required, as it provides an opt-in to trusting the xds server as root. The xds server can impersonate services and break security boundaries, but for many users this is acceptable and necessary. gRFC A29 xDS-Based Security covers the details here if you end up needing to change the xds configuration delivered to the client.

Since you mentioned reverse proxies, I'll note that there is a related gRFC A81 xDS Authority Rewriting that's being implemented. Without overrideAuthority(), the Host/:authority header sent to your Envoy cluster will be derived from `target`. This feature allows the Host/:authority header to be rewritten to a value expected by the server.

--
You received this message because you are subscribed to the Google Groups "grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/grpc-io/83dd73e1-5521-49bb-9803-c7304c1fcb99n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages