gRPC C++ in iOS - Trying to figure out how to implement SSL/TLS

[Vitor Travain]

Hi!

Asking the engineers here to see if I understood it correctly.

In our project we use a shared library built in C++ that we share across iOS/Android for shared synchronisation code (and that uses gRPC C++).

We're trying to make sure TLS is implemented properly over the gRPC channels we create, especially under proxies/VPNs.

From what I understand, the channel would take in the result of grpc::SslCredentials() that takes in options containing either `pem_cert_chain` (by documentation, the client certificate chain) or `pem_root_certs` (by documentation, the server certs).

Here are the questions:

1. As the client, am I supposed to provide the system certificate chain (and the installed certificates) into `pem_cert_chain` or `pem_root_certs`? 

2. iOS applications are sandboxed. This means we do not have access to the system certificate chain (and the installed certificates) directly so we can fill the properties there. However, we can use SecTrust from the native side to evaluate a received server certificate against the installed certificate chain. From what I understand grpc::SslCredentials() returns an object of type grpc::SecureChannelCredentials. Is the right way to go about this to inherit that class and provide then our own custom implementation of evaluating the server certificates by using the native API? Or would that be a rabbit hole? Is there any example of doing so? Note that we want still to use TLS/SSL as is, just the way we want to validate the certificates need to be different.

Thanks!  

[Denny Dai]

For iOS, you can take a look at an example of our gRPC ObjC transport that implemented support for SSL/TLS (GRPCSecureChannelFactory). If you provide your own root cert, you can create the channel credential using  grpc_ssl_credentials_create (or one of its newer variants) and then associated it with each new channel that you created.   

You can find some usage examples of these in our interop test suites (e.g. InteropTestsLocalSSL). Hope this helps. 

Denny 

[Vitor Travain]

If I’m on a proxied network though, providing a custom root certificate breaks down communications because essentially you are pinning the connection. 

Hence why for most systems is just a matter of dynamically looking into the system installed certificate chain and then using that, which unfortunately isn’t available in Apple platforms. 

That’s the problem we’re facing btw, some of our clients use a proxied environment and when they try to connect via proxy, the trusted certificate chain is different from the custom one embedded in the app which makes gRPC reject the connection. 

--
You received this message because you are subscribed to a topic in the Google Groups "grpc.io" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/grpc-io/jB1NDz7Fm6I/unsubscribe.
To unsubscribe from this group and all its topics, send an email to grpc-io+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ddfc461f-77cf-4986-a58b-8dcf040eea92n%40googlegroups.com.

--

Vitor Travain
iOS Engineer

email: vitor.trav...@gmail.com
github: corujautx

phone: +61 0410 211 869