Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use cached grpc ssl credential for ObjC library #18336

Merged
merged 1 commit into from Mar 12, 2019
Merged

Use cached grpc ssl credential for ObjC library #18336

merged 1 commit into from Mar 12, 2019

Conversation

muxi
Copy link
Member

@muxi muxi commented Mar 12, 2019
edited

gRPC ObjC library had been reading the default pem file's contents and feed them into grpc_ssl_credential_create, caused multiple apps to crash due to excessive memory usage. This PR changes the usage of grpc_ssl_credential_create to use the cached credentials which is more preferable and avoid further crashes.

@muxi muxi added lang/ObjC release notes: yes Indicates if PR needs to be in release notes labels Mar 12, 2019
@muxi muxi mentioned this pull request Mar 12, 2019
Closed
jiangtaoli2016
jiangtaoli2016 reviewed Mar 12, 2019
View reviewed changes
include/grpc/grpc_security.h Outdated
@@ -191,6 +191,12 @@ typedef struct {
try to get the roots set by grpc_override_ssl_default_roots. Eventually,
if all these fail, it will try to get the roots from a well-known place on
disk (in the grpc install directory).

It is a known issue that when the default root certificates are offered
with this parameter, occasionally an excessive amount of memory (~10MB) is
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is inaccurate and misleading. The root cert store is ~1MB. But gRPC opens multiple subchannels, each subchannel has its own SSL context and root store.

I would rephrase as

gRPC has implemented root certificates cache if the underlying OpenSSL library supports it. The gRPC root certificates cache is only applicable on the default root certificates. If user provides his or her own pem_root_certs when creating an SSL credential object, gRPC would not be able to cache it.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

looks good :) I'll rephrase

dapengzhang0
dapengzhang0 approved these changes Mar 12, 2019
View reviewed changes
Copy link
Member

@dapengzhang0 dapengzhang0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

include/grpc/grpc_security.h Outdated
it. The gRPC root certificates cache is only applicable on the default
root certificates, which is used when this parameter is nullptr. If user
provides their own pem_root_certs, when creating an SSL credential object,
gRPC would not be able to cached it, and each subchannel will generate a
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/cached/cache/

@jiangtaoli2016
Copy link

Thanks much @muxi for quick fix!

@yang-g yang-g merged commit 5cfc1a6 into grpc:master Mar 12, 2019
@muxi muxi deleted the memory-issue branch March 12, 2019 23:13
@lock lock bot locked as resolved and limited conversation to collaborators Jun 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@dapengzhang0 dapengzhang0 dapengzhang0 approved these changes

@jiangtaoli2016 jiangtaoli2016 jiangtaoli2016 approved these changes

Assignees

@dapengzhang0 dapengzhang0

Labels
lang/ObjC release notes: yes Indicates if PR needs to be in release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@muxi @jiangtaoli2016 @dapengzhang0 @yang-g