Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS-PSK #24238

Closed
7hacker opened this issue Sep 24, 2020 · 11 comments
Closed

TLS-PSK #24238

7hacker opened this issue Sep 24, 2020 · 11 comments

Comments

@7hacker
Copy link

7hacker commented Sep 24, 2020

Is your feature request related to a problem? Please describe.

While using gRPC in resource constrained, isolated environments TLS with pre-shared keys (TLS-PSK) is preferable over TLS with certs. Using a proxy just to solve TLS-PSK can degrade performance.

Describe the solution you'd like

Extension of the Auth API to support TLS-PSK

Describe alternatives you've considered

TLS-PSK proxy over insecure gRPC services

@7hacker
Copy link
Author

7hacker commented Oct 2, 2020

Hi, any updates on this feature request?

@jiangtaoli2016
Copy link

We do not have any plan to support TLS-PSK now. We are busy re-designing TLS API to support credential reloading, custom authorization callback, SPIFFE support, and so on.

@7hacker
Copy link
Author

7hacker commented Oct 2, 2020

Thanks for the update. Does the custom authorization callback effort enable us to plug-in a TLS-PSK backend ?

@jiangtaoli2016
Copy link

@7hacker could you describe more about TLS-PSK backend? It is hard for me to evaluate.

@7hacker
Copy link
Author

7hacker commented Oct 2, 2020

@jiangtaoli2016 sure, just spitballing here since I'm not clear on the custom auth callback on gRPC either.

Essentially can the custom callback defer to our implementation of TLS and we choose to use PSK's for authorization?

@jiangtaoli2016
Copy link

Please take a look at new API at grpc/proposal#205 and see if it helps your use case.

@ZhenLian
Copy link
Contributor

I think the proposed grpc/proposal#205 couldn't support TLS-PSK mode.
@jiangtaoli2016 do we support TLS-PSK in current gRPC stack? If not, supporting it in gRPC would be a non-trivial amount of effort: we need to design the API, pass it down and finally to the appropriate OpenSSL lib.
For now I would suggest to use TLS with certs, or take the alternative to use the proxy.

@jiangtaoli2016
Copy link

We do not support TLS-PSK in grpc core now. We do support session resumption in gRPC core and wrapped languages.

@stale
Copy link

stale bot commented Jan 17, 2021

This issue/PR has been automatically marked as stale because it has not had any update (including commits, comments, labels, milestones, etc) for 30 days. It will be closed automatically if no further update occurs in 7 day. Thank you for your contributions!

@ZhenLian
Copy link
Contributor

I will close this issue, but feel free to reopen if anything else was brought up.

@scali-at-amazon
Copy link

So not to be too much of a necromancer, but I was wondering what kind of progress was made in the TLS redesign, and whether support for TLS-PSK is back on the table.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

6 participants