Skip to content

Provide restricted TLS configurations #513

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 15, 2019
Merged

Provide restricted TLS configurations #513

merged 2 commits into from
Jul 15, 2019

Conversation

@glbrntt
Copy link
Collaborator

@glbrntt glbrntt commented Jul 12, 2019

Motivation:

Providing TLS configuration is difficult without prior knowledge since
one must provide the application protocols identifiers for ALPN. In
addition the default minimum TLS version provided by NIOs
TLSConfiguration is lower than that specified by the gRPC protococl.

Modifications:

Add TLS configuration for both server and client which defaults which
better align to gRPC.

Add shims marking the old APIs as deprecated.

Result:

TLS is easier to configure.

@glbrntt
Provide restricted TLS configurations
a17d01c 
Motivation:

Providing TLS configuration is difficult without prior knowledge since
one must provide the application protocols identifiers for ALPN. In
addition the default minimum TLS version provided by NIOs
TLSConfiguration is lower than that specified by the gRPC protococl.

Modifications:

Add TLS configuration for both server and client which defaults which
better align to gRPC.

Add shims marking the old APIs as deprecated.

Result:

TLS is easier to configure.
kevints
kevints reviewed Jul 12, 2019
View reviewed changes
Sources/GRPC/Shims.swift
// TODO: Remove these shims before v1.0.0 is tagged.

extension ClientConnection.Configuration {
@available(*, deprecated, message: "use 'tls' and 'ClientConnection.Configuration.TLS'")
Copy link
Contributor

@kevints kevints Jul 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use a renamed: attribute here to get Xcode to suggest a migration fixit

Copy link
Collaborator Author

@glbrntt glbrntt Jul 12, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's a different type (albeit a very similar one) instead of a direct rename so this seemed more appropriate

Copy link
Collaborator

@MrMage MrMage Jul 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not delete it altogether right away, given that we are not at 1.0 yet?

Copy link
Collaborator Author

@glbrntt glbrntt Jul 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could, this makes it's easier to fix for anyone who is using the currently tagged version though.

MrMage
MrMage approved these changes Jul 15, 2019
View reviewed changes
Sources/GRPC/Shims.swift
// TODO: Remove these shims before v1.0.0 is tagged.

extension ClientConnection.Configuration {
@available(*, deprecated, message: "use 'tls' and 'ClientConnection.Configuration.TLS'")
Copy link
Collaborator

@MrMage MrMage Jul 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not delete it altogether right away, given that we are not at 1.0 yet?

Sources/GRPC/TLSConfiguration.swift Outdated
/// TLS configuration for a `ClientConnection`.
///
/// Note that this configuration is a subset of `NIOSSL.TLSConfiguration` where certain options
/// are removed from the users control to ensure the configuration complies with the gRPC
Copy link
Collaborator

@MrMage MrMage Jul 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super-nit: user's

Sources/GRPC/TLSConfiguration.swift
trustRoots: trustRoots,
certificateChain: certificateChain,
privateKey: privateKey,
applicationProtocols: GRPCApplicationProtocolIdentifier.allCases.map { $0.rawValue }
Copy link
Collaborator

@MrMage MrMage Jul 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, which identifiers does this include again?

Copy link
Collaborator Author

@glbrntt glbrntt Jul 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Off the top of my head: "h2" and "grpc-ext"

glbrntt
glbrntt commented Jul 15, 2019
View reviewed changes
@MrMage MrMage merged commit 04227ec into grpc:nio Jul 15, 2019
@glbrntt glbrntt deleted the tls-configuration branch August 5, 2020 09:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MrMage MrMage MrMage approved these changes

+1 more reviewer

@kevints kevints kevints left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@glbrntt @MrMage @kevints