Provide restricted TLS configurations #513
Conversation
Motivation: Providing TLS configuration is difficult without prior knowledge since one must provide the application protocols identifiers for ALPN. In addition the default minimum TLS version provided by NIOs TLSConfiguration is lower than that specified by the gRPC protococl. Modifications: Add TLS configuration for both server and client which defaults which better align to gRPC. Add shims marking the old APIs as deprecated. Result: TLS is easier to configure.
| // TODO: Remove these shims before v1.0.0 is tagged. | ||
|
|
||
| extension ClientConnection.Configuration { | ||
| @available(*, deprecated, message: "use 'tls' and 'ClientConnection.Configuration.TLS'") |
There was a problem hiding this comment.
You can use a renamed: attribute here to get Xcode to suggest a migration fixit
There was a problem hiding this comment.
It's a different type (albeit a very similar one) instead of a direct rename so this seemed more appropriate
There was a problem hiding this comment.
Why not delete it altogether right away, given that we are not at 1.0 yet?
There was a problem hiding this comment.
We could, this makes it's easier to fix for anyone who is using the currently tagged version though.
| // TODO: Remove these shims before v1.0.0 is tagged. | ||
|
|
||
| extension ClientConnection.Configuration { | ||
| @available(*, deprecated, message: "use 'tls' and 'ClientConnection.Configuration.TLS'") |
There was a problem hiding this comment.
Why not delete it altogether right away, given that we are not at 1.0 yet?
Sources/GRPC/TLSConfiguration.swift
Outdated
| /// TLS configuration for a `ClientConnection`. | ||
| /// | ||
| /// Note that this configuration is a subset of `NIOSSL.TLSConfiguration` where certain options | ||
| /// are removed from the users control to ensure the configuration complies with the gRPC |
| trustRoots: trustRoots, | ||
| certificateChain: certificateChain, | ||
| privateKey: privateKey, | ||
| applicationProtocols: GRPCApplicationProtocolIdentifier.allCases.map { $0.rawValue } |
There was a problem hiding this comment.
Sorry, which identifiers does this include again?
There was a problem hiding this comment.
Off the top of my head: "h2" and "grpc-ext"
Motivation:
Providing TLS configuration is difficult without prior knowledge since
one must provide the application protocols identifiers for ALPN. In
addition the default minimum TLS version provided by NIOs
TLSConfiguration is lower than that specified by the gRPC protococl.
Modifications:
Add TLS configuration for both server and client which defaults which
better align to gRPC.
Add shims marking the old APIs as deprecated.
Result:
TLS is easier to configure.