-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
advancedtls: unable to configure TLS config #5667
Comments
@ZhenLian : Do you mind taking a look at this? |
Ping @ZhenLian |
I have identified an issue that I would like to ensure if looked after here. If RequireClientCert is true then we set the
I would like to use the options |
Sorry I was just back from a long vacation. @RonanMacF The CRL features is configured using RevocationConfig(https://github.com/grpc/grpc-go/blob/master/security/advancedtls/advancedtls.go#L207). It seems public. Do you mind giving me a pointer showing which part is private? |
For the second issue, it sounds like a bug there but would you mind raising another issue in Github, so I could keep track of it? I will take a closer look when I get a chance. Thank you so much! |
Hi Zhen, Sorry for the delay. Revocation is on problem, works as expected and all good is there. The problem is the *tls.Config. here you can see the *tls.Config is private. here you can see it is initialised within the advancedtls package. here is where it is created in the package. To summarise: The second issue is tightly related to the above and will likely be fixed by it, do you think it is still required? Overriding user set values with less secure values doesn't seem like something that would happen (or shouldn't at least). |
Ping @ZhenLian |
Sorry for the late response. I wanted to raise this in an internal design meeting but never got a chance, so I will put my thoughts here: @RonanMacF are |
Hiding configurable attributes in an 'advanced' package seems like an odd way to go about things. Seems like it should be the opposite where the advanced package gives enhanced customizability which most users don't need.
|
Yes, currently in advancedtls we only support @dfawley I will put together a PR once you get a chance to reply. Thank you! |
Just a thought, would it be useful or too confusing if the pkg provides a variant of |
I made the PR to add min/max version options to advanced tls: #5797 |
Thanks Zhen, this is a step in the right direction but still requires me to use a forked version of the package to get proper TLS usage. Is a PR underway for the other issues, in particular the |
I see. Under the current structure, we can't add |
+1 on supporting some important TLS attributes such as |
+1 to support If I understand, it looks like #5797 is 98% done..? @ZhenLian do you foresee yourself picking the PR back up, else I can find some time to polish it up. Related to this, I'd like to support |
Adding an "TlsVersionOption" for users to select their desired min/max TLS versions, if advanced TLS is used, per request by grpc#5667 RELEASE NOTES: security/advancedtls: add min/max TLS version selection options
Adding an "TlsVersionOption" for users to select their desired min/max TLS versions, if advanced TLS is used, per request by grpc#5667 RELEASE NOTES: security/advancedtls: add min/max TLS version selection options
Is there any plan to support CipherSuites in advancedtls package similar to the min/max version? |
@mudhireddy Added CipherSuites in #7269. |
@matthewstevenson88 Can this be closed? Or is there more to do here? |
Thanks @dfawley, yes this can be closed. |
grpc/credentials/tls.go
provides a function which takes a *tls.Config and returns TransportCredentials. This allows the server to configure some important TLS attributes such asMinVersion
andCipherSuites
.I am now looking to use
advancedtls
to give CRL capabilities, however the config field here is private and create only by theNewServerCreds
function. Following how this config is made I do not see any way to configure these fields in the advancedtls tls.Config field.I think it would be good to have this exposed or have a function which takes this as a parameter.
The text was updated successfully, but these errors were encountered: