Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[tls] Backport - Remove use of SSL_CTX_set_client_CA_list for TLS server credentials. #33583

Merged
merged 2 commits into from Jul 5, 2023
Merged

[tls] Backport - Remove use of SSL_CTX_set_client_CA_list for TLS server credentials. #33583

merged 2 commits into from Jul 5, 2023

Conversation

matthewstevenson88
Copy link
Contributor

See #33558.

@matthewstevenson88
[tls] Remove use of SSL_CTX_set_client_CA_list for TLS server credent…
1c94707 
…ials. (grpc#33558)

This PR does the following: for the TLS server credentials, stops
calling `SSL_CTX_set_client_CA_list` by default in
`ssl_transport_security.cc`, and gives users a knob to re-enable calling
this API.

When this API is called, a gRPC TLS server sends the following data in
the ServerHello: for each certificate in the server's trust bundle, the
CA name in the certificate.

This API does not change the set of certificates trusted by the server
in any way. Rather, it is just providing a hint to the client about what
client certificate should be sent to the server.

default for the TLS server credentials?

Removing the use of this API by default has 2 benefits:
1. Calling this API makes gRPC TLS unusable for servers with a
sufficiently large trust bundle. Indeed, if the server trust bundle is
too large, then the server will always fail to build the ServerHello.
2. Calling this API is introducing a huge amount of overhead (1000s of
bytes) to each ServerHello, so removing this feature will improve
connection establishment latency for all users of the TLS server
credentials.
@matthewstevenson88 matthewstevenson88 added area/security release notes: yes Indicates if PR needs to be in release notes labels Jun 30, 2023
@matthewstevenson88 matthewstevenson88 self-assigned this Jun 30, 2023
@matthewstevenson88 matthewstevenson88 marked this pull request as ready for review June 30, 2023 22:39
@matthewstevenson88 matthewstevenson88 merged commit 53e637c into grpc:v1.56.x Jul 5, 2023
64 of 65 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yijiem yijiem yijiem approved these changes

Assignees

@matthewstevenson88 matthewstevenson88

Labels
area/security bloat/none lang/c++ lang/core lang/ruby per-call-memory/neutral per-channel-memory/neutral release notes: yes Indicates if PR needs to be in release notes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@matthewstevenson88 @yijiem @grpc-kokoro