session: fix mailbox TLS ALPN regression

[starius]

Starting in grpc-go v1.67.0, clients and servers reject TLS handshakes when ALPN is not negotiated. This changed the default value of GRPC_ENFORCE_ALPN_ENABLED from false to true. The default flip is in grpc/grpc-go#7535

Our mailbox transport handshake can reach endpoints that currently do not negotiate ALPN, so LNC session setup started failing and the lnc_auth flow timed out, with malformed header/content-type errors showing up later on the stream path.

This PR adds mailbox-specific TLS transport credentials that allow a missing negotiated ALPN value for mailbox links. The mailbox server path and the integration-test mailbox clients now use these credentials, so session
establishment works again.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical regression in mailbox TLS ALPN negotiation caused by an upgrade to grpc-go v1.67.0. The update enforced ALPN negotiation by default, leading to failed mailbox session setups. To resolve this, a new set of mailbox-specific TLS transport credentials has been implemented, which tolerates missing ALPN negotiation. These custom credentials are now applied to both the mailbox server path and integration test clients, restoring proper session establishment.

Highlights

• gRPC Version Update: Updated the google.golang.org/grpc dependency from v1.65.0 to v1.67.0, which introduced a breaking change by enforcing ALPN negotiation by default.
• Mailbox TLS ALPN Regression Fix: Introduced custom MailboxTLSCredentials to allow TLS handshakes for mailbox connections even when ALPN is not negotiated, resolving session setup failures caused by the gRPC update.
• Integration Test Updates: Modified integration tests (litd_firewall_test.go, litd_mode_integrated_test.go) to utilize the new MailboxTLSCredentials for mailbox client connections, ensuring compatibility with the updated gRPC behavior.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• go.mod
  • Updated google.golang.org/grpc from v1.65.0 to v1.67.0.
• go.sum
  • Updated checksums for google.golang.org/grpc v1.67.0.
• itest/litd_firewall_test.go
  • Changed credentials.NewTLS to session.NewMailboxTLSCredentials for mailbox client connections.
• itest/litd_mode_integrated_test.go
  • Imported the session package.
  • Changed credentials.NewTLS to session.NewMailboxTLSCredentials for mailbox client connections.
• session/server.go
  • Removed the import for google.golang.org/grpc/credentials.
  • Replaced credentials.NewTLS with NewMailboxTLSCredentials when creating the mailbox gRPC server.
• session/tls_credentials.go
  • Added a new file defining NewMailboxTLSCredentials and mailboxTLSCreds to handle TLS handshakes for mailbox links, specifically allowing for non-negotiated ALPN.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request addresses a TLS ALPN regression caused by an update to grpc-go. The solution involves introducing custom TLS transport credentials for mailbox connections to bypass the strict ALPN negotiation enforcement. The changes are well-contained and correctly applied in the server and integration tests. I have one suggestion to simplify the implementation in the new tls_credentials.go file by using a more modern Go API.

[ViktorT-11]

Thank you so much for this @starius 🙏!

tACK LGTM 🔥

[ellemouton]

thanks @starius - perhaps worth a release note entry?

[lightninglabs-deploy]

@starius, remember to re-request review from reviewers when ready