search

stepancheg / grpc-rust

Rust implementation of gRPC
MIT License
1.37k stars 124 forks source link

Modifying underlying TLS connection on grpc client #103

Closed stuartnelson3 closed 6 years ago

stuartnelson3 commented 6 years ago

In development mode, we are using self-signed certs that fail verification.

let http = httpbis::client_conf::ClientConf::new();
let conf = grpc::ClientConf { http: http };
let client = MyGrpcClient::new_tls::<TlsConnector>("localhost", 50051, conf)
    .unwrap();

This results in getting the builder for TlsConnector in https://github.com/stepancheg/rust-http2/blob/master/src/client.rs#L95, which is then built to the default options from https://github.com/stepancheg/rust-tls-api/blob/master/impl-openssl/src/lib.rs#L169. As far as I can tell, this is all out of the control of the caller.

I currentl have a forked version for development that sets no-verify on the builder:

fn builder() -> Result<TlsConnectorBuilder> {
    openssl::ssl::SslConnectorBuilder::new(openssl::ssl::SslMethod::tls())
        .map(|mut builder| {
            builder.builder_mut().set_verify(
                openssl::ssl::SslVerifyMode::empty(),
            );
            builder
        })
        .map(TlsConnectorBuilder)
        .map_err(Error::new)
}

Ideally I wouldn't have a forked version for this, of course. I tried to create my own struct wrapping TlsConnector and passing that in for creating the grpc client, but that failed because there was a type mismatch between because of the Builder constraint in TlsConnector:

type Builder: TlsConnectorBuilder<Connector = Self>

Is there someway to modify the underlying tls connection to set no-verify? Or do I need to create not only a struct wrapping TlsConnector, but one also wrapping TlsConnectorBuilder to satisfy the Builder constraint?

stepancheg commented 6 years ago

I tried to create my own struct wrapping TlsConnector and passing that in for creating the grpc client, but that failed because there was a type mismatch between because of the Builder constraint in TlsConnector: Or do I need to create not only a struct wrapping TlsConnector, but one also wrapping TlsConnectorBuilder to satisfy the Builder constraint?

Yes, if you need to create your own TlsConnector, then you need to create your own TlsConnectorBuilder too. Doesn't seem to be hard.

I'm not sure it's the best API. If you have ideas how to do API simpler and easier, please share.

Anyway, I've just created a version 0.1.12 where fields of TlsConnector are public: c06ce434c89a3b985e1b84a29a80669bbd21fb95. So now you can initialize openssl connector, and wrap it with tls_api_openssl::TlsConnector.

Please reopen the issue (or create another issue) if the problem is not solved.