switch to TLS 1.2 or 1.3 for the gRPC secure comms

[mejohnnaylor]

The current secure comms only supports SSL which is deprecated.

note that it could be that the thing called SSL in the current implementation is actually doing TLS, according to ChatGPT:

Yes, gRPC fully supports TLS (Transport Layer Security), allowing for secure communication over the network. TLS is supported by both gRPC Core (for languages like C++, Java, Go, and others) and gRPC libraries in various languages, including Python, Ruby, and Node.js. Here's a brief overview of how TLS works with gRPC and how to enable it:

1. TLS Support in gRPC

gRPC uses HTTP/2 as its underlying transport protocol, which natively supports TLS for secure communication. By configuring TLS in gRPC, you can ensure data encryption, integrity, and authentication between client and server.

2. Enabling TLS in gRPC

To enable TLS in gRPC, you’ll need:

• A valid SSL/TLS certificate: This can be a self-signed certificate (for testing) or a certificate issued by a trusted certificate authority (for production).
• A private key corresponding to the certificate.

3. Example of Setting Up TLS in gRPC (C++)

Below is a simple example of how to set up TLS in gRPC for a C++ application:

Server-Side (C++)

#include <grpcpp/grpcpp.h>
#include "your_service.grpc.pb.h" // Your gRPC service definition

void RunServer() {
    std::string server_address("0.0.0.0:50051");

    // Load server certificate and private key
    grpc::SslServerCredentialsOptions::PemKeyCertPair key_cert_pair = {
        .private_key = "path/to/server_key.pem",
        .cert_chain = "path/to/server_cert.pem"
    };

    grpc::SslServerCredentialsOptions ssl_opts;
    ssl_opts.pem_key_cert_pairs.push_back(key_cert_pair);
    ssl_opts.pem_root_certs = ""; // Leave empty to use default CA certificates

    // Create the server with TLS credentials
    auto server = grpc::ServerBuilder()
                      .AddListeningPort(server_address, grpc::SslServerCredentials(ssl_opts))
                      .BuildAndStart();

    server->Wait();
}

Client-Side (C++)

#include <grpcpp/grpcpp.h>
#include "your_service.grpc.pb.h" // Your gRPC service definition

void RunClient() {
    std::string server_address("localhost:50051");

    grpc::SslCredentialsOptions ssl_opts = {
        .pem_root_certs = "path/to/ca_cert.pem"
    };

    // Create the channel with TLS credentials
    auto channel = grpc::CreateChannel(server_address, grpc::SslCredentials(ssl_opts));
    auto stub = YourService::NewStub(channel);

    // Proceed with calling remote methods on the stub
}

4. TLS in Other Languages

• Python: Use grpc.ssl_channel_credentials for clients and grpc.ssl_server_credentials for servers.
• Java: Use ManagedChannelBuilder and NettyServerBuilder with useTransportSecurity.
• Go: Use grpc.WithTransportCredentials with credentials.NewClientTLSFromFile.

5. Mutual TLS (mTLS)

gRPC also supports mutual TLS (mTLS), where both the client and server authenticate each other. This requires each party to present a certificate to establish a trusted connection.

Summary

• gRPC supports TLS for secure, encrypted communication.
• You can configure TLS using server and client credentials, and gRPC libraries provide APIs in each supported language.
• Mutual TLS (mTLS) is also supported if you need two-way authentication.

Using TLS with gRPC is a robust choice for ensuring secure data transmission and is widely adopted in production environments.

[mejohnnaylor]

The naming of grpc::SslCredentialsOptions might indeed be misleading because it includes "SSL" in the name, but rest assured, gRPC uses TLS (Transport Layer Security) under the hood, not the deprecated SSL protocols (SSL 2.0 or SSL 3.0).

Why "SSL" in the Name?

Historically, "SSL" was the original protocol name, and some libraries and APIs still retain "SSL" in their names for backward compatibility or historical reasons, even though they actually implement TLS. This is the case with gRPC, where grpc::SslCredentialsOptions refers to the options used to configure TLS settings.

TLS Versions Supported by gRPC

gRPC libraries leverage the underlying TLS libraries of each language:

• C++ (gRPC Core): Often uses OpenSSL or other libraries, which support TLS 1.2 and TLS 1.3, depending on the version of the library installed.
• Java: Uses the JVM’s TLS implementation, typically supporting TLS 1.2 and TLS 1.3.
• Go: Built-in support for TLS 1.2 and TLS 1.3.
• Python, Node.js, etc.: TLS versions depend on the underlying libraries and versions (like OpenSSL) but generally support modern TLS versions.

Security in gRPC

The grpc::SslCredentialsOptions structure in C++ or similar options in other languages allow you to:

• Specify certificates and private keys for TLS.
• Choose root certificates to verify the server's identity.
• Optionally configure mutual TLS (mTLS), which adds additional security by authenticating both the client and the server.

Summary

• The term "SSL" in grpc::SslCredentialsOptions is historical and does not mean it uses outdated SSL protocols.
• gRPC relies on TLS for secure communication, and its underlying libraries typically support modern TLS versions (TLS 1.2 and TLS 1.3).
• Your connections with grpc::SslCredentialsOptions are secure with modern TLS standards.

In conclusion, while the naming can be confusing, gRPC does not use deprecated SSL protocols and provides a robust and secure setup with modern TLS support.

[mejohnnaylor]

maybe addressing this issue is to simply remove the ssl as an option for --secure_coms and just have off and 'tls` as options?