TLS 1.3 on grpc

Strictly speaking it is not Ledger/Daml related question but I will try my luck here. We are using Ledger API library to connect to the ledger. After upgrading the ledger to use TLS 1.3. The old code built in Java 9 stopped working. The code uses io.grpc.netty.NettyChannelBuilder and io.netty.handler.ssl.SslContext for tls. Is there anyone knows why? Do I have to upgrade JDK and what version should I use? Thanks. The code is like this

        this.nettyChannelBuilder =
                NettyChannelBuilder.forAddress(host, port).maxInboundMessageSize(MAX_MESSAGE_SIZE_BYTES);
        DamlLedgerClient.Builder builder = DamlLedgerClient.newBuilder(nettyChannelBuilder);
        SslContext sslContext = GrpcSslContexts.forClient().protocols("TLSv1.2","TLSv1.3").trustManager(wrappedTrustManagers[0]).build();
        nettyChannelBuilder.sslContext(sslContext).useTransportSecurity();
        builder.withSslContext(sslContext);

What is the error exactly? What happens if you remove "TLSv1.2" from the list of accepted protocols?

Tried it already and it didn’t work. The error contains

“Caused by: java.lang.IllegalArgumentException: TLSv1.3” from java base class.

17:22:38.259 [main] ERROR a.c.a.t.util.ConnectionManager - [RESULT] Status{code=UNKNOWN, description=Channel Pipeline: [WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0], cause=io.netty.channel.ChannelPipelineException: io.grpc.netty.ProtocolNegotiators$ClientTlsHandler.handlerAdded() has thrown an exception; removed.
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:624)
at io.netty.channel.DefaultChannelPipeline.replace(DefaultChannelPipeline.java:572)
at io.netty.channel.DefaultChannelPipeline.replace(DefaultChannelPipeline.java:515)
at io.grpc.netty.ProtocolNegotiators$ProtocolNegotiationHandler.fireProtocolNegotiationEvent(ProtocolNegotiators.java:1059)
at io.grpc.netty.ProtocolNegotiators$WaitUntilActiveHandler.channelActive(ProtocolNegotiators.java:968)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelActive(AbstractChannelHandlerContext.java:209)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelActive(DefaultChannelPipeline.java:1398)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:230)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelActive(AbstractChannelHandlerContext.java:216)
at io.netty.channel.DefaultChannelPipeline.fireChannelActive(DefaultChannelPipeline.java:895)
at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.fulfillConnectPromise(AbstractNioChannel.java:305)
at io.netty.channel.nio.AbstractNioChannel$AbstractNioUnsafe.finishConnect(AbstractNioChannel.java:335)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:707)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.IllegalArgumentException: TLSv1.3
at java.base/sun.security.ssl.ProtocolVersion.valueOf(Unknown Source)
at java.base/sun.security.ssl.ProtocolList.convert(Unknown Source)
at java.base/sun.security.ssl.ProtocolList.(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl.setEnabledProtocols(Unknown Source)
at io.netty.handler.ssl.JdkSslContext.configureAndWrapEngine(JdkSslContext.java:332)
at io.netty.handler.ssl.JdkSslContext.newEngine(JdkSslContext.java:326)
at io.grpc.netty.ProtocolNegotiators$ClientTlsHandler.handlerAdded0(ProtocolNegotiators.java:568)
at io.grpc.netty.ProtocolNegotiators$ProtocolNegotiationHandler.handlerAdded(ProtocolNegotiators.java:1018)
at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:938)
at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:609)
… 21 more
}

Can you share your (fully-resolved) Netty version, as well as your JVM version? Supported protocols may depend on both.

io.netty - 4.1.60.Final
io.grpc - 1.36.1
JDK - 9.0.4

I found a solution for it. It works with Java 1.8.0_321 or Java 11. I downgraded to 1.8.0_321 and it works.

It appears only certain JDK support tls v3. Which means that you need to build and run the program using those JDKs. Also for the one that doesn’t support it, you only get error in runtime which is a bit annoying… I got it from here -