You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#149 added support for using client and server certificates from files on disk, for both gRPC and HTTP connections. It also added support for refreshing these certificates on an interval.
Specifically For gRPC Client certificates, the rotation is not working as intended. The original certificate is used for the duration of the process.
Currently, we cannot easily switch to this alternate API, since it drops support for configuring MinTLS Version as well as TLS CipherSuites and thus would be a breaking change. There is an open ticket grpc/grpc-go#5667 for adding support for configuring CipherSuites with advancedtls, but until then, grpc client certificates will not properly rotate.
The text was updated successfully, but these errors were encountered:
joeljeske
changed the title
gRPC Client Certification Refresh Interval is not respected
gRPC Client Certificate Refresh Interval is not respected
Feb 13, 2023
As reported in buildbarn/bb-clientd#7
#149 added support for using client and server certificates from files on disk, for both gRPC and HTTP connections. It also added support for refreshing these certificates on an interval.
Specifically For gRPC Client certificates, the rotation is not working as intended. The original certificate is used for the duration of the process.
This is due to the same issue seen here, grpc/grpc-go#5791, where tls.Config.GetClientCertificate is not respected within grpc-go. The solution is documented to use advancedtls.NewServerCreds instead of credentials.NewTLS.
Currently, we cannot easily switch to this alternate API, since it drops support for configuring MinTLS Version as well as TLS CipherSuites and thus would be a breaking change. There is an open ticket grpc/grpc-go#5667 for adding support for configuring CipherSuites with
advancedtls
, but until then, grpc client certificates will not properly rotate.The text was updated successfully, but these errors were encountered: