feat(transport): Add support client mTLS #77
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jen20
force-pushed
the
jen20/mutual-tls-simple-config
branch
2 times, most recently
from
45e9c70
to
9650642
Compare
jen20
force-pushed
the
jen20/mutual-tls-simple-config
branch
2 times, most recently
from
4d794e8
to
a9e10e4
Compare
LucioFranco
reviewed
Oct 18, 2019
jen20
force-pushed
the
jen20/mutual-tls-simple-config
branch
from
a9e10e4
to
1d9f746
Compare
LucioFranco
reviewed
Oct 21, 2019
LucioFranco
reviewed
Oct 22, 2019
| }; | ||
| let mut client_root_cert_store = tokio_rustls::rustls::RootCertStore::empty(); | ||
| match client_root_cert_store.add_pem_file(&mut cert) { | ||
| Err(_) => return Err(Box::new(TlsError::CertificateParseError)), |
There was a problem hiding this comment.
do we want to attach the error message here?
There was a problem hiding this comment.
I'll update this - we likely do want the error message.
There was a problem hiding this comment.
Only kidding... the error type is ().
LucioFranco
reviewed
Oct 22, 2019
This commit adds a simple API for specifying the TLS certificate a GRPC client will present (via the same `Identity` wrapper as a server cert is configured). It also adds an API to specify which CA certificate client TLS certificates will be validated against for servers. To demonstrate usage, a new example `tls_client_auth` is added, using OpenSSL for the client and Rustls for the server.
jen20
force-pushed
the
jen20/mutual-tls-simple-config
branch
from
1d9f746
to
5e9a073
Compare
|
OK, I think these are all resolved! |
LucioFranco
approved these changes
Oct 22, 2019
LucioFranco
changed the title
rabbitinspace
pushed a commit
to satelit-project/tonic
that referenced
this pull request
Jan 1, 2020
This commit adds a simple API for specifying the TLS certificate a GRPC client will present (via the same `Identity` wrapper as a server cert is configured). It also adds an API to specify which CA certificate client TLS certificates will be validated against for servers.
brentalanmiller
pushed a commit
to brentalanmiller/tonic
that referenced
this pull request
Oct 6, 2023
* Add regression test for hyperium#77 * Fix handshake alert * Fix style
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds a simple API for specifying the TLS certificate a gRPC client will present (via the same
Identitywrapper as a server cert is configured). It also adds an API to specify which CA certificate client TLS certificates will be validated against for servers.To demonstrate usage, a new example
tls_client_authis added. In order to implement this, new test certificates are added to thedatadirectory oftonic-examples. Currently only one of the two added client certificates is used, the other is intended for future work but since it was issued by the same CA, it's helpful to add it now.Some of the code for loading certificates and private keys previously existed in the
TlsAcceptorclass - this has been factored out to a new module so it can be reused byTlsConnectoralso.Currently this is only implemented for
rustls- an OpenSSL implementation will follow on this PR shortly.