From f99ab2f9f1532eb0525ab0688754d63e4b9678f9 Mon Sep 17 00:00:00 2001 From: Luwei Ge Date: Fri, 3 Nov 2023 19:42:06 +0000 Subject: [PATCH] explain why tls 1.2 --- test/core/end2end/h2_ssl_certs_curves_test.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/test/core/end2end/h2_ssl_certs_curves_test.cc b/test/core/end2end/h2_ssl_certs_curves_test.cc index 6b6be8bd1dd5d..b1020c3218333 100644 --- a/test/core/end2end/h2_ssl_certs_curves_test.cc +++ b/test/core/end2end/h2_ssl_certs_curves_test.cc @@ -91,6 +91,14 @@ grpc_server* server_create(grpc_completion_queue* cq, const char* server_addr, grpc_server_credentials* server_creds = grpc_ssl_server_credentials_create_with_options(options); // This is a hack but we don't have a public API to force TLS version yet. + // + // The tests in this file are only meaningful with TLSv1.2 only there is the + // public key from the certificate used for key exchange and the key type's + // compatibility will be checked: + // https://datatracker.ietf.org/doc/html/rfc8422#section-5.3. + // In TLSv1.3 key exchange negotiation follows a different flow + // (https://datatracker.ietf.org/doc/html/rfc8446#section-4.2.7) and no longer + // involves the key in the certificate. reinterpret_cast(server_creds) ->set_max_tls_version(grpc_tls_version::TLS1_2); grpc_server* server = grpc_server_create(nullptr, nullptr);