Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(transport): Add system root anchors for TLS #114

Merged
merged 1 commit into from
Nov 9, 2019

Conversation

jen20
Copy link
Contributor

@jen20 jen20 commented Nov 3, 2019

As per #101, it is sometimes desirable to use standard web PKI roots for gRPC clients. This commit adds a method to ClientTlsConfig to allow this. The behaviour differs per TLS library:

  • OpenSSL uses openssl-probe to search the system for roots and add them.
  • Rustls adds the Mozilla-supplied roots from the webpki-roots crate.

This is not feature flagged, as there appears to be no convenient way to gate a dependency on multiple conditions.

tonic/Cargo.toml Outdated Show resolved Hide resolved
@jen20 jen20 force-pushed the jen20/tls-trust-roots branch from 5f0e7e9 to 4b49811 Compare November 4, 2019 16:48
@jen20 jen20 force-pushed the jen20/tls-trust-roots branch 2 times, most recently from 34a9677 to 9fe4224 Compare November 4, 2019 17:01
@jen20 jen20 changed the title Add client TLS builder method to add trust anchors Add feature flags to add default trust anchors for Rustls and OpenSSL Nov 4, 2019
@jen20 jen20 force-pushed the jen20/tls-trust-roots branch from 9fe4224 to bc5c962 Compare November 9, 2019 10:04
@jen20
Copy link
Contributor Author

jen20 commented Nov 9, 2019

I've updated this in light of the new rustls-native-certs library for rustls, so the behaviour is now much more similar between the supported TLS libraries.

@jen20 jen20 force-pushed the jen20/tls-trust-roots branch from bc5c962 to 68462d2 Compare November 9, 2019 10:53
@jen20
Copy link
Contributor Author

jen20 commented Nov 9, 2019

Fixes #101.

As per hyperium#101, it is sometimes desirable to use standard web PKI roots for
gRPC clients. This commit adds a method to ClientTlsConfig to add the
trust roots from the system certificate store:

- OpenSSL uses `openssl-probe` to search the system for roots.
- Rustls uses `rustls-native-certs` to load the system roots.

Enabling the `openssl-roots` or `rustls-roots` feature for `tonic` in
`Cargo.toml` will add system roots by default when configuring a gRPC
client.
@jen20 jen20 force-pushed the jen20/tls-trust-roots branch from 68462d2 to 565e650 Compare November 9, 2019 16:20
@jen20
Copy link
Contributor Author

jen20 commented Nov 9, 2019

Docs for the new feature flags are now added in tonic/src/lib.rs.

@LucioFranco LucioFranco changed the title Add feature flags to add default trust anchors for Rustls and OpenSSL feat(transport): Add system root anchors for TLS Nov 9, 2019
@LucioFranco LucioFranco merged commit ac0e333 into hyperium:master Nov 9, 2019
@jen20 jen20 deleted the jen20/tls-trust-roots branch November 9, 2019 16:38
rabbitinspace pushed a commit to satelit-project/tonic that referenced this pull request Jan 1, 2020
As per hyperium#101, it is sometimes desirable to use standard web PKI roots for
gRPC clients. This commit adds a method to ClientTlsConfig to add the
trust roots from the system certificate store:

- OpenSSL uses `openssl-probe` to search the system for roots.
- Rustls uses `rustls-native-certs` to load the system roots.

Enabling the `openssl-roots` or `rustls-roots` feature for `tonic` in
`Cargo.toml` will add system roots by default when configuring a gRPC
client.
brentalanmiller pushed a commit to brentalanmiller/tonic that referenced this pull request Oct 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants