New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use cached grpc ssl credential for ObjC library #18336
Conversation
include/grpc/grpc_security.h
Outdated
@@ -191,6 +191,12 @@ typedef struct { | |||
try to get the roots set by grpc_override_ssl_default_roots. Eventually, | |||
if all these fail, it will try to get the roots from a well-known place on | |||
disk (in the grpc install directory). | |||
|
|||
It is a known issue that when the default root certificates are offered | |||
with this parameter, occasionally an excessive amount of memory (~10MB) is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is inaccurate and misleading. The root cert store is ~1MB. But gRPC opens multiple subchannels, each subchannel has its own SSL context and root store.
I would rephrase as
gRPC has implemented root certificates cache if the underlying OpenSSL library supports it. The gRPC root certificates cache is only applicable on the default root certificates. If user provides his or her own pem_root_certs when creating an SSL credential object, gRPC would not be able to cache it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good :) I'll rephrase
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
include/grpc/grpc_security.h
Outdated
it. The gRPC root certificates cache is only applicable on the default | ||
root certificates, which is used when this parameter is nullptr. If user | ||
provides their own pem_root_certs, when creating an SSL credential object, | ||
gRPC would not be able to cached it, and each subchannel will generate a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/cached/cache/
Thanks much @muxi for quick fix! |
gRPC ObjC library had been reading the default pem file's contents and feed them into
grpc_ssl_credential_create
, caused multiple apps to crash due to excessive memory usage. This PR changes the usage ofgrpc_ssl_credential_create
to use the cached credentials which is more preferable and avoid further crashes.