Asking the engineers here to see if I understood it correctly.
In our project we use a shared library built in C++ that we share across iOS/Android for shared synchronisation code (and that uses gRPC C++).
We're trying to make sure TLS is implemented properly over the gRPC channels we create, especially under proxies/VPNs.
From what I understand, the channel would take in the result of grpc::SslCredentials() that takes in options containing either `pem_cert_chain` (by documentation, the client certificate chain) or `pem_root_certs` (by documentation, the server certs).
Here are the questions:
1. As the client, am I supposed to provide the system certificate chain (and the installed certificates) into `pem_cert_chain` or `pem_root_certs`?
2. iOS applications are sandboxed. This means we do not have access to the system certificate chain (and the installed certificates) directly so we can fill the properties there. However, we can use SecTrust
from the native side to evaluate a received server certificate against the installed certificate chain. From what I understand grpc::SslCredentials() returns an object of type grpc::SecureChannelCredentials. Is the right way to go about this to inherit that class and provide then our own custom implementation of evaluating the server certificates by using the native API? Or would that be a rabbit hole? Is there any example of doing so? Note that we want still to use TLS/SSL as is, just the way we want to validate the certificates need to be different.