GRPC Server allows usage of TLS1.0 for HTTP/2 protocol

[mogrein]

Hello, I want to ask some a question regarding implementation of RFC 7540. RFC 7540 enforces some restrictions on TLS MinVersion and cipher suites used for HTTP/2 connections. It states that HTTP/2 connections must use TLS version 1.2 or higher. I've tested example from grpc-go and it seems that server allows TLS1.0 connections. Looks like both tls and advancedtls implementations use default Golang limit on server tls:

• https://github.com/grpc/grpc-go/blob/v1.59.0/credentials/tls.go#L143
• https://github.com/grpc/grpc-go/blob/b82468a3462e18361e6816e25842375f517255b1/security/advancedtls/advancedtls.go#L590 which is TLS 1.0 for server.

  
  cd ./examples/features/encryption/TLS/
  go run server/main.go

openssl-1.1 s_client -tls1 -connect localhost:50051 ...

New, TLSv1.0, Cipher is ECDHE-RSA-AES128-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-AES128-SHA Session-ID: 75DCDAD64A6B7B436E7583C5E49FEB11FF0CFA92DD58CA4B41A97D7AEC1E27BD Session-ID-ctx: Master-Key: 2AB2840F395D5C80DD36494B1130416FFEAF53EB00A24A71816729099D773A8E8E4DC85AF844F6D91797990EDBAA5A41 PSK identity: None PSK identity hint: None SRP username: None ...

Is it some unknown deviation from RFC, or I've got something wrong?

[ginayeh]

Thanks for reaching out. If you want to restrict TLS version to 1.2 and above, you can configure your gRPC server and set Config.MinVersion as VersionTLS12.

https://pkg.go.dev/crypto/tls#Config.MinVersion https://cs.opensource.google/go/go/+/refs/tags/go1.21.3:src/crypto/tls/common.go;l=31

[uzhastik]

And still. The problem is grpc-go is not compliant to RFC.

[dfawley]

We honor the user's configuration.

However, we should do better if the user doesn't specify the MinVersion. I'll send a PR.