feat(transport): allow setting a custom rustls CryptoProvider on TLS configs#2697
Open
jgowdy wants to merge 1 commit into
Open
feat(transport): allow setting a custom rustls CryptoProvider on TLS configs#2697jgowdy wants to merge 1 commit into
jgowdy wants to merge 1 commit into
Conversation
…configs ClientTlsConfig and ServerTlsConfig build their rustls config from CryptoProvider::get_default(), so a non-default provider could only be used by installing it process-wide with install_default. Add a with_provider builder method to both configs to set the provider per channel/server; when set, tonic builds the config with builder_with_provider instead of get_default(). Roots, identity, ALPN, and client auth are layered on top unchanged. The field is optional and defaults to the current behavior, so it is backward compatible.
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
ClientTlsConfigandServerTlsConfigbuild their rustls configuration fromCryptoProvider::get_default(), so a non-default provider can only be used byinstalling it process-wide with
install_default. That forces every rustls userin the process onto the same provider. Some applications want a non-default
provider, for example a FIPS build or a provider that constrains the cipher
suites and key-exchange groups (such as a post-quantum profile), on specific
channels or servers only.
Closes #2696.
Solution
Add a
with_provider(Arc<CryptoProvider>)builder method to bothClientTlsConfigandServerTlsConfig. When set, tonic builds the rustls configwith
builder_with_providerinstead ofget_default(); roots, identity, ALPN,and client auth are layered on top unchanged. The field is optional and defaults
to the existing behavior, so this is backward compatible.
This follows the pattern of the custom
ServerCertVerifierescape hatch (#2612).A unit test covers that a client connector built with an explicit provider
succeeds without a process-wide default installed. The server path is symmetric.
There is no integration-test harness for
tonic::transportTLS in the repo, andthe example certs live outside the
toniccrate, so I kept the testself-contained. Happy to add an integration test if you would prefer one.