From f5e4a7836654c852042139063843f47e3e37f967 Mon Sep 17 00:00:00 2001
From: Sotirios Delimanolis <sotodel@meta.com>
Date: Fri, 19 Jan 2024 15:04:06 -0800
Subject: [PATCH] Add ALPN and better auth to SSLContext used for raw Thrift
 client

Summary:
This was found from logs like https://fburl.com/scuba/thrift_connection_events/4ki5vhy2, showing an empty "Client Alpns" list.

Rocket should be used with an "rs" ALPN value. Most of these changes come from https://www.internalfb.com/intern/wiki/Secure_Thrift/User_Guide/TLS/Special_Cases/

Reviewed By: xiangxu1121

Differential Revision: D52699658

fbshipit-source-id: 3775047f5fad390fcfa43bd68ac817dfdde9ed8c
---
 openr/common/OpenrClient.h  | 7 +++----
 openr/kvstore/KvStore-inl.h | 4 +---
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/openr/common/OpenrClient.h b/openr/common/OpenrClient.h
index c82e8d0409f..93e1fe7ea86 100644
--- a/openr/common/OpenrClient.h
+++ b/openr/common/OpenrClient.h
@@ -125,9 +125,7 @@ getOpenrCtrlPlainTextClient(
 /*
  * Create secured client for OpenrCtrlCpp service over AsyncSSLSocket.
  */
-template <
-    typename ClientType,
-    typename ClientChannel = apache::thrift::RocketClientChannel>
+template <typename ClientType>
 static std::unique_ptr<ClientType>
 getOpenrCtrlSecureClient(
     folly::EventBase& evb,
@@ -183,7 +181,8 @@ getOpenrCtrlSecureClient(
     }
 
     // Create channel and set timeout
-    auto channel = ClientChannel::newChannel(std::move(transport));
+    auto channel =
+        apache::thrift::RocketClientChannel::newChannel(std::move(transport));
     channel->setTimeout(processingTimeout.count());
 
     // Enable compression for efficient transport when available. This will
diff --git a/openr/kvstore/KvStore-inl.h b/openr/kvstore/KvStore-inl.h
index 28f169954f4..209b457600b 100644
--- a/openr/kvstore/KvStore-inl.h
+++ b/openr/kvstore/KvStore-inl.h
@@ -1128,9 +1128,7 @@ KvStoreDb<ClientType>::KvStorePeer::getOrCreateThriftClient(
       folly::ssl::SSLCommonOptions::setClientOptions(*context);
       // Since we are suggesting support for rocket in ALPN,
       // we should use RocketClientChannel to match what is negotiated
-      secureClient = getOpenrCtrlSecureClient<
-          ClientType,
-          apache::thrift::RocketClientChannel>(
+      secureClient = getOpenrCtrlSecureClient<ClientType>(
           *(evb->getEvb()),
           context,
           folly::IPAddress(*peerSpec.peerAddr()), /* v6LinkLocal */