Comments (10)
jen20
commented on July 30, 2024
2
I think we should definitely expose a way to make this simpler - I'll take a look into some of the options and have a think about what could be done.
from tonic.
jen20
commented on July 30, 2024
1
Hi @xmclark! Personally I think I'd tend towards option 1 here. I can likely put together a pull request for this fairly quickly, as I have some other work in flight for TLS bits.
from tonic.
LucioFranco
commented on July 30, 2024
This is a really good question! So most gRPC examples I've seen have their own ca roots so I have not really seen users require this but I think its something we might be able to support. I'm not opposed to adding an additional feature flag around adding default roots. So I believe the webpki_roots::TLS_SERVER_ROOTS is actually just the mozilla one, where as I believe with openssl you can probe the system for its certs. I'm not sure if we should expose this as a builder since they can vary? I'm not the biggest expert on TLS so not sure what the right path is.
@jen20 any thoughts?
from tonic.
xmclark
commented on July 30, 2024
I spent some time this week to learn a bit about TLS and certificate trust chains. I found the docs at Let's Encrypt to be super useful!
https://letsencrypt.org/certificates/
It's now a little more clear now that rustls::RootCertStore::add_server_trust_anchors is simply adding the Mozilla root certificates to the TLS config. This can also be achieved by downloading the certificates from Mozilla and adding them with ClientTlsConfig::ca_certificate. That solution also works for both OpenSSL and Rustls TLS configs.
I am guessing GRPC community feels pretty comfortable with these certs because they keep updated the Mozilla root certificates in their git repo. I asked around in the GRPC gitter and I think they simply bake in the certs to the GRPC libraries. This is useful when running on an OS like windows where there is no standard location for trusted certs.
https://github.com/grpc/grpc/tree/master/etc
I think it may be useful to either:
- expose a featureflag-gated method for adding the mozilla root certs
Or - Offering a simple example for how to add the root certs
Either option would address the basic needs for users like me, and any users who care about initialization cost or root certs wouldn't need to pay the cost by default.
from tonic.
LucioFranco
commented on July 30, 2024
Option one sounds like a great idea!
from tonic.
xmclark
commented on July 30, 2024
Super happy to see #114 opened. I pointed my current grpc project using tonic to the jen20/tls-trust-roots branch and it works beautifully using ClientTlsConifg::add_trust_anchors!
I don't mind tonic paying the extra cost of importing the mozilla certs for rustls usage. I think most other grpc libraries do this by default anyways.
from tonic.
xmclark
commented on July 30, 2024
I just saw announcement for rustls-native-certs. This may be something else to consider. It has cross platform support.
https://github.com/ctz/rustls-native-certs
from tonic.
LucioFranco
commented on July 30, 2024
Oh very nice! @jen20 happy with what ever you think we should go with
from tonic.
jen20
commented on July 30, 2024
I'll update #114 to use the native certs crates, that is likely a more appropriate option than simply relying on the Mozilla roots.
from tonic.
LucioFranco
commented on July 30, 2024
@xmclark this should be fixed with #114, feel free to reopen if there are any more issues.
from tonic.
Related Issues (20)
- Current "uds" example does not compile HOT 3
- Release 0.12.0 HOT 6
- `tonic::transport::Channel` struct is not as safe to clone for parallel use HOT 2
- Error when building excamples
- how to manually fail a client streaming?
- Add debug spans for codec tracing
- test codec::prost::tests::encode_too_big panicks on 32-bit architectures
- Inserting metadata in a test panics with index out of bounds HOT 2
- Tonic 0.12.0 compiles tokio even when no features are enabled HOT 4
- Upgrading to tonic-reflection 0.12 breaks reflection HOT 2
- use of undeclared crate or module `tonic_reflection` HOT 2
- How does tonic library dynamically set up custom middleware HOT 1
- Naming collisions with std::marker::Sync/Send
- How to make tonic support tls HOT 3
- nit: inconsistent use of crate::Error vs Error in single transport src file
- calling grpc server hosted on cloud run with https fails with transport error HOT 2
- version 0.12.1 causes ClientTlsConfig to explode with invalid CryptoProvider HOT 1
- Configuring Timeout for Graceful Shutdown HOT 1
- How to get grpc-status in Layer?
- Make the TimeoutExpired a public tonic type rather than a transport type
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tonic.