[grpc][c++] TOFU grpc client
47 views
Skip to first unread message
anzor.ap...@gmail.com
Oct 26, 2017, 10:27:52 AM10/26/17
to grpc.io
Hi all,
We are using self-signed certificates for enabling TLS between servers and clients. For that we create credentials for C++ server like this
std::shared_ptr<grpc::ServerCredentials> GetServerCredentials()
{
grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp;
pkcp.private_key = readContent("certs\\private.pem");
pkcp.cert_chain = readContent("certs\\public.crt");
grpc::SslServerCredentialsOptions ssl_opts;
ssl_opts.pem_key_cert_pairs.push_back(pkcp);
std::shared_ptr<grpc::ServerCredentials> creds = grpc::SslServerCredentials(ssl_opts);
return creds;
}
On C++ client side we specify server's self signed certificate on pem_root_certs to make it work.
std::shared_ptr<grpc::ChannelCredentials> GetClientCredentials()
{
grpc::SslCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs =readContent("certs\\public.crt");
auto creds = grpc::SslCredentials(ssl_opts);
return creds;
}
The problem is, our client's don't know servers certificates in advance. We do box software, we don't have control on app deployment and our software usually works in restricted networks without internet access.
We see that Trust-On-First-Use is good option for us, but we failed to find any info how it can be implemented for c++ grpc client.
OpenSSL has SSL_CTX_set_verify wich can be used to implement this. Is there similar callback for grpc?
What is the best way to implement TOFU for grpc client?
Thanks in advance!
We are using self-signed certificates for enabling TLS between servers and clients. For that we create credentials for C++ server like this
std::shared_ptr<grpc::ServerCredentials> GetServerCredentials()
{
grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp;
pkcp.private_key = readContent("certs\\private.pem");
pkcp.cert_chain = readContent("certs\\public.crt");
grpc::SslServerCredentialsOptions ssl_opts;
ssl_opts.pem_key_cert_pairs.push_back(pkcp);
std::shared_ptr<grpc::ServerCredentials> creds = grpc::SslServerCredentials(ssl_opts);
return creds;
}
On C++ client side we specify server's self signed certificate on pem_root_certs to make it work.
std::shared_ptr<grpc::ChannelCredentials> GetClientCredentials()
{
grpc::SslCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs =readContent("certs\\public.crt");
auto creds = grpc::SslCredentials(ssl_opts);
return creds;
}
The problem is, our client's don't know servers certificates in advance. We do box software, we don't have control on app deployment and our software usually works in restricted networks without internet access.
We see that Trust-On-First-Use is good option for us, but we failed to find any info how it can be implemented for c++ grpc client.
OpenSSL has SSL_CTX_set_verify wich can be used to implement this. Is there similar callback for grpc?
What is the best way to implement TOFU for grpc client?
Thanks in advance!
Reply all
Reply to author
Forward
0 new messages