Jaeger: gRPC with TLS doesn't work with cmux in mixed mode

Created on 9 Jul 2020 · 12Comments · Source: jaegertracing/jaeger

Describe the bug
I faced https://github.com/open-telemetry/opentelemetry-collector/issues/1227 some time ago, and while reviewing #2337, I noticed that we have the same pattern in Jaeger:

https://github.com/jaegertracing/jaeger/blob/02d45678ec9079ee91e19ad901ab7592aa4de085/cmd/query/app/server.go#L138-L145

Basically, when gRPC is behind TLS, cmux can't determine the headers before doing the TLS handshake, and the TLS handshake happens at the gRPC layer. The end result is that all calls end up going to the HTTP handler when a client is attempting to establish a gRPC TLS connection.

To Reproduce
Steps to reproduce the behavior:

Not reproducible at the moment, as there's a bug preventing the TLS flags from being exposed for gRPC in the Query component.

A possible solution is mentioned here in a follow-up issue at OpenTelemetry Collector: https://github.com/open-telemetry/opentelemetry-collector/issues/1256#issuecomment-654975422

bug hacktoberfest

Source

jpkrohling

All 12 comments

I think the Example (RecursiveCmux) from here can easily suit our needs. Basically, create any non-tls handers (if there is any) in the first cmux. If not satisfied, assume it is TLS and use a tls listener as the input listener of the inner cmux with tls enabled servers.

We would need to build the cmux dynamically with some factory method based on whether which of gRPC and / or HTTP tls is enabled.

but one major pitfall would be that we can use only one common pair of certificates for both gRPC and HTTP.

rjs211 on 16 Jul 2020

Do you want to try?

yurishkuro on 16 Jul 2020

Yes. Will try this first.

rjs211 on 16 Jul 2020

🎉1

I think #2337 Solves this one as well now. Used only one cmux.
Assumptions:

~~Only one set of server certificate and key (even though both HTTP and GRPC flags are exposed )~~ Fixed
GRPC can handle bad requests. (i.e. if it gets a non-grpc request / random http request, it shouldn't break.)

rjs211 on 16 Jul 2020

Only one set of server certificate and key (even though both HTTP and GRPC flags are exposed )

Then we should have only one set of flags. I can't see a way to have both gRPC and HTTP under one single port, each with its own cert...

jpkrohling on 17 Jul 2020

Should be fixed now.

rjs211 on 17 Jul 2020

This causes another problem. There can be only one ClientCA for both GRPC and HTTP server. But they might very well get their client-certificates from two different CAs.

Can i change the tlsCfg.Options.ClientCAPath from string to StringSlice (defined in https://github.com/jaegertracing/jaeger/blob/master/pkg/config/string_slice.go) ? this would enable multiple ClientCAs for any single TLSCfg

rjs211 on 18 Jul 2020

Aah, one certificate file would contain multiple certificates. We dont ahve to do that.

rjs211 on 18 Jul 2020

👍1

Aah, one certificate file would contain multiple certificates.

it may be worth mentioning this in the corresponding TLS config option.

yurishkuro on 18 Jul 2020

@rjs211 I think you fixed this one already, haven't you?

jpkrohling on 10 Sep 2020

@jpkrohling Yes. This should be fixed when #2387 is merged.

rjs211 on 10 Sep 2020

Just to clarify, This is solved (i.e. a working solution) only when the user descides to use two separate ports. i.e. when query.host-port is not defined and at least one of query.grpc-server.host-port or query.http-server.host-port is defined. This actual feature would be a part if #2337. I am resuming working on that now.

rjs211 on 11 Sep 2020

Was this page helpful?

0 / 5 - 0 ratings