Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support custom rustls crypto provider in TlsAcceptor / TlsConnector and ServerTlsConfig / ClientTlsConfig #1569

Closed
janrueth opened this issue Nov 14, 2023 · 1 comment
Closed

Support custom rustls crypto provider in TlsAcceptor / TlsConnector and ServerTlsConfig / ClientTlsConfig #1569

janrueth opened this issue Nov 14, 2023 · 1 comment

Comments

@janrueth
Copy link

janrueth commented Nov 14, 2023
edited
Loading

Feature Request

Crates

tonic crate in the transport module

Motivation

rustls 0.22.0 introduces custom crypto providers (see #1509).
This allows plugging in different crypto providers.

While there are examples already on how to use rustls circumventing the built-in tls feature, and they can be easily extended to utilize a custom crypto provider, it would be very convenient if one were able to simply pass the provider to the Server/ClientTlsConfig structs.

Supporting custom providers enables a simple path to using tonic in environments where for example FIPS certification of the crypto libraries is required by plugging in a rustls fips-compliant crypto provider.

Proposal

Here is an example for a client to utilize a custom provider: https://github.com/rustls/rustls/blob/main/provider-example/examples/client.rs

In essence, the TlsConnector and TlsAcceptor today call: ClientConfig::builder() and ServerConfig::builder(), see:

tonic/tonic/src/transport/service/tls.rs

Line 35 in 522a8d7

let builder = ClientConfig::builder().with_safe_defaults();

tonic/tonic/src/transport/service/tls.rs

Line 110 in 522a8d7

let builder = ServerConfig::builder().with_safe_defaults();

I propose moving the current code in the new methods to a with_opt_provider constructor, changing these methods to accepting an optional reference to a crypto provider and when this is given calling ::builder_with_provider() with the provided provider, thus enabling the provider.
The new constructors than continues to provide the same API and can simply call with_opt_provider, providing None for the optional provider.

Additionally, enabling to specify the provider in ServerTlsConfig / ClientTlsConfig (a rustls_provider() method) would then allow to expose this to the user as part of the tls feature by calling with_opt_provider in tls_acceptor / tls_connector

Alternatives

Directly accept the optional provider on the new methods. Drawback, API changes.
@hex1c hex1c mentioned this issue Jan 30, 2024
Closed
@LucioFranco
Copy link
Member

Related conversation #1615 closing since these are both duplicates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@janrueth @LucioFranco