[grpc-io] Re: How to find boringSSL version in grpcio 1.21.1 ?
gRPC-python wraps gRPC-Core as they are in the same repo. So if you go to the specific git tag, e.g. https://github.com/grpc/grpc/tree/v1.58.0/third_party, you can find the commit of the BorgingSSL dependency (boringssl-with-bazel ...). In this case of 1.58.0, it's https://github.com/google/boringssl/tree/2ff4b968a7e0cfee66d9f151cb95635b43dc1d5b. On Thursday, September 14, 2023 at 10:36:15 AM UTC-7 Reena THOMAS wrote: > And what is the BoringSSL version used there? How do we decipher it > > On Wednesday, September 13, 2023 at 11:21:59 PM UTC+5:30 AJ Heller wrote: > >> I'm not entirely sure how to help you with such an old version. I'd >> recommend trying with a more recent gRPC version, we are currently up to >> version 1.58. https://pypi.org/project/grpcio/ >> >> On Monday, September 11, 2023 at 3:40:12 AM UTC-7 Reena THOMAS wrote: >> >>> I am downloading tar file from >>> https://files.pythonhosted.org/packages/fb/d5/30bc142a40bb891c28739ec48c99730d20e5fb9cf9637036b4b52f70505b/grpcio-1.21.1.tar.gz >>> >>> , and ran "python setup.py install" >>> >>> I am unable to find a clear solution to know boringSSL version that is >>> mapped to grpcio 1.21.1 >>> >>> Is there a way to find from source code or from above tar file? >>> Any help will be appreciated >>> >>> Project: https://pypi.org/project/grpcio/1.21.1/#files >>> >> -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/44b8acae-0ba8-42d9-b007-b41be19695f3n%40googlegroups.com.
Re: [grpc-io] Re: Using the certificate fetcher API
As of now, the CertificateProvider APIs I mentioned only come with two built-in types, StaticData and FileWatcher. So unfortunately, the custom logic you'd like isn't supported. That said, we are considering whether we will support user-defined CertificateProvider implementations. This is yet to be finalized so I cannot guarantee anything right now. Back to the APIs you referred to, they are defined in include/grpc/grpc_security.h so technically it's not in private headers. I don't think we will ever remove things defined there, but it's generally not recommended for C++ library users to consume APIs in that C-Core layer. On Thursday, September 14, 2023 at 4:55:50 PM UTC-7 Mohamed Hasan wrote: > في الخميس، ١٤ سبتمبر ٢٠٢٣ ٨:١٧ م 'Amirsaman Memaripour' via grpc.io < > grp...@googlegroups.com> كتب: > >> Ho Luwei, >> >> Thanks for your response. We'd need to expand that API since the rotation >> of certificates must be controlled/guarded by a change of state in the >> system, and we may need to process the contents of the certificate files >> before loading them into memory for gRPC's consumption. My initial plan was >> to utilize the callback fetcher API to implement something similar to the >> following, where I can invoke custom logic in `certificateConfigCallback` >> and update the cached certificates when needed (e.g. after receiving a >> command from the user that the certificates must be rotated). Just >> verifying that the new API you noted in your email will support such a >> use-case. Thank you! >> >> struct Options { >> std::string tlsPEMKeyFile; >> std::string tlsCAFile; >> }; >> >> auto certificateConfigCallback(void* options, >> grpc_ssl_server_certificate_config** config) { >> // Return `GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_UNCHANGED` if not changed. >> // Return `GRPC_SSL_ROOTS_OVERRIDE_FAIL` if loading (or verifying) the >> certificates fails. >> // Otherwise, load the new certificates ... >> Options* optionsPtr = reinterpret_cast(options); >> std::string caCert = util::readPEMFile(optionsPtr->tlsCAFile); >> auto keyCertPair = util::parsePEMKeyFile(optionsPtr->tlsPEMKeyFile); >> grpc_ssl_pem_key_cert_pair pemKeyCertPair = {keyCertPair.private_key. >> c_str(), >> keyCertPair.cert_chain.c_str()}; >> *config = grpc_ssl_server_certificate_config_create(caCert.c_str(), >> , >> 1); >> return GRPC_SSL_CERTIFICATE_CONFIG_RELOAD_NEW; >> } >> >> auto makeServerCredentialsWithFetcher() { >> Options options; >> grpc_ssl_server_credentials_options* opts = >> grpc_ssl_server_credentials_create_options_using_config_fetcher( >> ::grpc_ssl_client_certificate_request_type >> ::GRPC_SSL_DONT_REQUEST_CLIENT_CERTIFICATE, >> certificateConfigCallback, >> ); >> grpc_server_credentials* creds = >> grpc_ssl_server_credentials_create_with_options(opts); >> return std::shared_ptr<::grpc::ServerCredentials>(new ::grpc:: >> SecureServerCredentials(creds)); >> } >> >> void startServer() { >> ::grpc::ServerBuilder builder; >> >> auto credentials = makeServerCredentialsWithFetcher(); >> builder.AddListeningPort("127.0.0.1:2", credentials); >> // TODO register service via `builder.RegisterService()` >> builder.SetMaxReceiveMessageSize(MaxMessageSizeBytes); >> builder.SetMaxSendMessageSize(MaxMessageSizeBytes); >> builder.SetDefaultCompressionAlgorithm(::grpc_compression_algorithm >> ::GRPC_COMPRESS_NONE); >> ::grpc::ResourceQuota quota; >> quota.SetMaxThreads(MaxWorkerThreads); >> builder.SetResourceQuota(quota); >> >> server = builder.BuildAndStart(); >> } >> >> On Wednesday, September 13, 2023 at 3:18:39 PM UTC-4 Luwei Ge wrote: >> >>> Hi, >>> >>> Does the FileWatcherCertificateProvider work at >>> https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h >>> >>> for your use case? It's an experimental API but we plan to stabilize it >>> soon. >>> >>> Best, >>> Luwei >>> >>> On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour >>> wrote: >>> >>> Following up on this question, is there a plan for supporting the >>> certificate fetcher API in the public facing headers? >>> >>> On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour >>> wrote: >>> >>> Hi, >>> >>> We are working on using the C++ implementation of gRPC and wanted to see >>> what's the best way to implement certificate rotation. I was able to rotate >>> certificates using the certificate fetcher callback API, but noticed that >>> it's only available through the private headers of the core library. Are >>> there plans to make this API public? Just checking to make sure the feature >>> is not going to be deprecated and entirely removed form the repository. >>> Thank you! >>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "grpc.io" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to grpc-io+u...@googlegroups.com. >> To view this discussion on the web visit >>
Re: [grpc-io] Re: C++ gRPC with PKCS#11
> > Unless the community position is to let the users themselves build the > grpc lib with whatever opssl version they prefer. > gRPC only builds with BoringSSL with Bazel and can build with a list of supported OpenSSL versions with CMake. The OpenSSL is not packaged inside the library. As a user of C++ gRPC standard library, I have hard time to understand why > this pkcs#11 access to TLS credentials is not provided as part of the > standard gRPC API. > I think the simple answer is that we don't see many use cases or requests for this. And external contributions are always welcomed. On Mon, Sep 18, 2023 at 6:00 AM GoogleUser Zak wrote: > As a user of C++ gRPC standard library, I have hard time to understand why > this pkcs#11 access to TLS credentials is not provided as part of the > standard gRPC API. This way the user will not have to worry about re > building the library. > > Therefore, regarding which openssl version to use, if it is packaged > inside the grpc library, then it will just depend on which version of grpc > lib is being used. > So, moving to a new openssl version would just require the user to upgrade > their grpc library to a new grpc version. > > Unless the community position is to let the users themselves build the > grpc lib with whatever opssl version they prefer. > > If someone can shed some light on this, it would be greatly appreciated. > > Thanks > > > On Wed, Sept 13, 2023, 3:59 p.m. 'Luwei Ge' via grpc.io < > grpc-io@googlegroups.com> wrote: > >> Hi, >> >> I assume you are building gRPC with OpenSSL. >> >> 1. We do have some support for the Engine APIs ( >> https://github.com/grpc/grpc/blob/6534f0a6bfc1cfae6db931f9ee16f480de980374/src/core/tsi/ssl_transport_security.cc#L568) >> of OpenSSL 1.0.2. Unfortunately, because the feature was implemented quite >> a while ago, the test ( >> https://github.com/grpc/grpc/blob/3717ff04bafd18504d8613d753d4605927305de3/test/core/end2end/h2_ssl_cert_test.cc#L263) >> has been broken and yet to be fixed. Regardless of the test, if we assume >> this still works, would it accommodate your use case? Note that you'd be >> locked into OpenSSL 1.0.2. >> >> 2. If the option 1 above is not viable but OpenSSL Engine APIs will >> indeed solve your problem. Would you be interested in contributing to >> supporting this feature for more recent OpenSSL versions (namely, OpenSSL >> 3)? >> >> Please let us know if you got any questions. >> >> Best, >> Luwei >> >> >> On Saturday, September 9, 2023 at 5:29:20 PM UTC-4 GoogleUser Zak wrote: >> >>> Hi, >>> I am looking for a GRPC library implementation/version where a C++ gRPC >>> client, namely CreateChannel(), can refer to the mTLS private key using >>> PKCS#11 URI, and therefore the private key doesn't need to be read in the >>> user space, and will stay in the HSM secure memory. >>> >>> Is there a way to use openSSL with pkcs11 engine in the gRPC library? If >>> so, any pointers about how to create that gRPC library? >>> >>> Thanks >>> -- >>> Hakim >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "grpc.io" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to grpc-io+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/grpc-io/8d002db7-98f7-4a8d-a472-a8e782f934a2n%40googlegroups.com >> <https://groups.google.com/d/msgid/grpc-io/8d002db7-98f7-4a8d-a472-a8e782f934a2n%40googlegroups.com?utm_medium=email_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CANHVheP%2BGRp1u%2B%3DeJnREwdAQv%3DjC80jMKsbjErgJzN6M_%3DH%2BXQ%40mail.gmail.com.
[grpc-io] Re: C++ gRPC with PKCS#11
Hi, I assume you are building gRPC with OpenSSL. 1. We do have some support for the Engine APIs (https://github.com/grpc/grpc/blob/6534f0a6bfc1cfae6db931f9ee16f480de980374/src/core/tsi/ssl_transport_security.cc#L568) of OpenSSL 1.0.2. Unfortunately, because the feature was implemented quite a while ago, the test (https://github.com/grpc/grpc/blob/3717ff04bafd18504d8613d753d4605927305de3/test/core/end2end/h2_ssl_cert_test.cc#L263) has been broken and yet to be fixed. Regardless of the test, if we assume this still works, would it accommodate your use case? Note that you'd be locked into OpenSSL 1.0.2. 2. If the option 1 above is not viable but OpenSSL Engine APIs will indeed solve your problem. Would you be interested in contributing to supporting this feature for more recent OpenSSL versions (namely, OpenSSL 3)? Please let us know if you got any questions. Best, Luwei On Saturday, September 9, 2023 at 5:29:20 PM UTC-4 GoogleUser Zak wrote: > Hi, > I am looking for a GRPC library implementation/version where a C++ gRPC > client, namely CreateChannel(), can refer to the mTLS private key using > PKCS#11 URI, and therefore the private key doesn't need to be read in the > user space, and will stay in the HSM secure memory. > > Is there a way to use openSSL with pkcs11 engine in the gRPC library? If > so, any pointers about how to create that gRPC library? > > Thanks > -- > Hakim > > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/8d002db7-98f7-4a8d-a472-a8e782f934a2n%40googlegroups.com.
[grpc-io] Re: Using the certificate fetcher API
Hi, Does the FileWatcherCertificateProvider work at https://github.com/grpc/grpc/blob/master/include/grpcpp/security/tls_certificate_provider.h for your use case? It's an experimental API but we plan to stabilize it soon. Best, Luwei On Tuesday, September 12, 2023 at 2:13:32 PM UTC-4 Amirsaman Memaripour wrote: Following up on this question, is there a plan for supporting the certificate fetcher API in the public facing headers? On Thursday, August 31, 2023 at 6:10:52 PM UTC-4 Amirsaman Memaripour wrote: Hi, We are working on using the C++ implementation of gRPC and wanted to see what's the best way to implement certificate rotation. I was able to rotate certificates using the certificate fetcher callback API, but noticed that it's only available through the private headers of the core library. Are there plans to make this API public? Just checking to make sure the feature is not going to be deprecated and entirely removed form the repository. Thank you! -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/2f0ef6bf-1f2e-429c-8e5c-b4a94c3b0e1bn%40googlegroups.com.
[grpc-io] A59: gRPC Audit Logging
This is the discussion thread for A59: gRPC Audit Logging. https://github.com/grpc/proposal/pull/346 Please share your comments. Thank you. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/850e6b92-995f-424c-b1d0-843a690e95d4n%40googlegroups.com.