-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow passing in a custom rustls ClientConfig to Channel #891
Comments
I wonder if we could use hyper's connector trait bounds for this? If we just require |
For now I would suggest following this example #968 this will currently work with |
That example involves quite a bit of code compared to using a |
[ci skip-build-wheels]
While I do agree the ergonomics are not as good, tying tonic to rustls releases is not feasible either. Currently, the |
Somewhat related to no longer being able to use a custom Specifically if i'm relying on the fact that // let tls_config = ... some custom rustls ServerConfig
let listener = tokio_stream::wrappers::TcpListenerStream::new(
tokio::net::TcpListener::bind("localhost:0")?,
);
let tls_acceptor = TlsAcceptor::from(Arc::new(tls_config));
let listener = listener.and_then(move |stream| tls_acceptor.accept(stream));
let greeter = MyGreeter::default();
let server = Server::builder()
.add_service(GreeterServer::new(greeter));
// Requires that TlsStream impls `Connected`
server.serve_with_incoming(listener).await; Then when tonic bumps its internal rustls version and does a patched release you could break code out in the wild. Of course I may also be misunderstanding what would constitute a semver breaking change given this would be a somewhat obscure breakage. |
Thanks @bmwill that was missed, the next breaking release will remove that impl. |
Damn this is tough to keep up with. I'm updating a cli application that needs to be able to consume a In the application I'm updating when This facility shouldn't have been removed without an alternative. I'm digging through https://github.com/hyperium/tonic/blob/master/examples/src/tls/client_rustls.rs to see how & whether I can integrate it; but this is a surprising upset in API stability, especially with no observable deprecation period & no discernable communication on the public documentation of a migration path. I get that your semver leads with Thank you for your stewardship of these libraries. They're no small part of why I love Rust! |
Hey! @kvc0 I appreciate the feedback and I do agree there should be more proper paths for migrations and deprecations etc. That said, as you mentioned this project is still below 1.0 and with some of the other work around That said, I don't believe hyper has bumped a major version in a while so the older versions of tonic should continue to work. If you are interested in helping out smooth the API and write some guides I would totally accept some PRs. In addition, the plan moving forward for how people will use tonic will look closer to the rustls examples that use hyper directly as the |
I've updated the example here with a more ergonomic change #1017 should make using hyper directly much easier. |
Are there any recommendations for gRPC friendly default values for setting up Hyper and rustls? |
Hey, this is a double problem to me: first that you removed it, second that if this issue is resolved it'll be past my MSRV. So I ask to allow backporting whatever the fix for this will be. As for possible solutions to not tie
Please also note that we're literally having a DoS vulnerability because of being unable to upgrade. Thankfully it shouldn't be a big deal since if an attacker can spoof certificate he can just DoS by cutting the connection but it's still annoying. It may be a good reason to at least put it back until a proper solution is found. |
In case it will help any one, for the https://github.com/pantsbuild/pants project, I wrote a bridge between |
I've thought about this quite a bit but I don't think it's feasible. There are too many changes happening that involve configuration for now. |
@djc thanks a lot for giving it a thought! |
It would be great to be able to pass a Rustls For example, I'd like to rely on a The tonic Rustls client example looks like it will work this purpose, but it feels weird to use gRPC without building and reusing |
@lvkv: The earlier comment #891 (comment) which links to code which allows integrating Tonic and Rustls may be of interest to you. |
@tdyas Thanks for the pointer, I'm definitely looking into this as an alternative. However, I'm also interested in the cheap clone interface offered by the proper
I'm sure I could plop a Edit: I just realized that plopping a |
I'm also trying to pass a custom rustls config to my tonic Client, namely to use rustls_platform_verifier instead of the default ClientTlsConfig. following the example linked in this thread, I'm able to make it work with the following code
This works, but this forces me to pass specifically the hyper_util client with https everywhere, instead of a tonic Channel abstraction. Now I noticed it is also possible to create a tonic Channel with the same https connector, like this:
But in this case the connection fails with I fail to understand what the hyper_util Client does that the tonic Channel doesn't. |
@joune: fyi this "Channel" implementation in another project may be of value: https://github.com/pantsbuild/pants/blob/76ef3e4f83dc99075bb205d1fdc6a6011e501dce/src/rust/engine/grpc_util/src/channel.rs It is initialized with a |
thanks @tdyas 👍 |
I had been using a custom connector with the build-in |
I just ran into this very issue. Specifically the problem is, when using a custom connector [1] and an
https://gist.github.com/shikhar/2677ca111e82b2a8ebfbada2d2bf1582 "fixes" this problem. What do maintainers think about getting rid of this error? [1] |
I think your diff has tonic silently fall back to plaintext HTTP in case of a misconfiguration? That seems like a non-starter. IMO the integration crate proposed by @bmwill is probably the right approach for this kind of stuff. There might also be a change in the future when the internal transport offered by tonic is rethought. |
My assumption is that the main reason that the Until the project decides to rethink how |
That's fair, I found an alternate approach that is much better: #2015 |
I created tonic-tls for this. You can pass Rustls configs to tonic via incoming stream. You can use native-tls as well. |
cc @ipetr0v @conradgrobler @djc @LucioFranco
Originally posted by @tiziano88 in #859 (comment)
The text was updated successfully, but these errors were encountered: