New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for dynamic SSL on the client side #15735
Comments
We are definitely happy to review PRs that implement this, as we have on the server side. I don't foresee we'll have resources in immediate term to tackle this problem ourselves though. |
@jiangtaoli2016 Hi, any updates? It looks like SPIFFE set of patches on master still does not support client-side reloading. |
@yihuazhang Hi, can you chime in, please? |
@euroelessar Yes, in both SSL and SPIFFE implementation, we do not support client-side credential reload now. The client when creating a channel needs to provision a valid certificate which will be used throughout the life time of the connection. Do you know if gRPC Java and Go support client-side reloading? I am not sure if we want to change the existing behavior but if do, I would like to have gRPC Java and Go to agree on the design. Maybe creating a gRFC will be a good start. |
@yihuazhang Feel free to correct me, but grpc/proposal#98 does not specify that ability to reload key material is a property of the server, therefore this proposal covers both client and server. gRPC-Go currently supports it by providing generic |
@euroelessar I am trying to understand the use-case for "ability to reload key material" on the client side. As I see:
|
|
@euroelessar, Yes, you are right. grpc/proposal#98 does not restrict credential reload to be a server-only property. I still have a hard time justify your comment - "need an ability to reload a key material for newly established connections". In your PR (#16567), it seems to refresh the client side's SSL credential in More explanation will be appreciated. |
@yihuazhang Sure, let me provide a bit more details about our setup:
Please note that individual gRPC channel maps to multiple underlying TCP connections, and this connections are destroyed/created over time. While it's true that Please look at |
@euroelessar It is a valid use case to support credential reloading on the client side. |
What version of gRPC and what language are you using?
1.12.0 on Python
What operating system (Linux, Windows, …) and version?
Linux
What runtime / compiler are you using (e.g. python version or version of gcc)
Python 2.7.14
What did you do?
Try to use dynamic client side TLS certificates, in this case we are utilizing Hashicorp's Vault PKI backend to roll client certificates every 2 hours.
What did you expect to see?
Behaviour similar to Go's
tls.Config#GetClientCertificate
What did you see instead?
No support exists, though things seem to work until the variable you used for the client certificate is updated at the same time as the channel is being used. At that point this results in a deadline exceeded on the client side.
Anything else we should know about your project / environment?
I don't think so, let me know if you need further information. I'm pretty sure this requires a change similar to #12644 and #12689.
The text was updated successfully, but these errors were encountered: