akka-grpc icon indicating copy to clipboard operation
akka-grpc copied to clipboard

Published 20 hours ago verified publisher icon akka

Unable to specify TLS ciphers for GrpcClientSettings

Open squadgazzz opened this issue 4 years ago • 7 comments
trafficstars

Akka gRPC 2.0.0. I couldn't find a way to specify ciphers for GrpcClientSettings to create a gRPC client service with TLS support.

squadgazzz avatar Aug 18 '21 11:08 squadgazzz

to create a gRPC client service with TLS support

If you're OK with the JRE defaults, I think you shouldn't need any particular configuration to be able to perform HTTPS calls.

If you want more control, you can probably use withSslContext and perhaps withTrustManager. This could definitely use some documentation, though :)

raboof avatar Aug 18 '21 12:08 raboof

to create a gRPC client service with TLS support

If you're OK with the JRE defaults, I think you shouldn't need any particular configuration to be able to perform HTTPS calls.

If you want more control, you can probably use withSslContext and perhaps withTrustManager. This could definitely use some documentation, though :)

Yes, I do provide custom SslContext. But there's no way to provide custom ciphers. Client sends unsupported ciphers to my SSL provider. On the server-side, there's an option in ConnectionContext where I can specify any ciphers.

ConnectionContext.https(
  sslContext = mySslContext,
  enabledCipherSuites = myCiphers,
  enabledProtocols = myProtocols
)

With GrpcClientSettings I can specify sslContext only, not ciphers.

The reason I use it is simple. I use a custom TLS provider.

squadgazzz avatar Aug 18 '21 12:08 squadgazzz

Ah, so those are in the SSLEngine, not the SSLContext - indeed it'd make sense to make that possible somehow.

For the akka-http backend, perhaps it'd make sense to allow bringing your own HttpsConnectionContext as well. For the Netty backend I'm not sure how this could be achieved.

raboof avatar Aug 18 '21 13:08 raboof

Ah, so those are in the SSLEngine, not the SSLContext - indeed it'd make sense to make that possible somehow.

For the akka-http backend, perhaps it'd make sense to allow bringing your own HttpsConnectionContext as well. For the Netty backend I'm not sure how this could be achieved.

Netty provides this ability with their own SslContextBuilder for both client and server sides. I have a server backended with akka-http and have no issues with setting up a custom SSL provider. The only issue - I can't create a client with akka to connect to my server.

squadgazzz avatar Aug 18 '21 13:08 squadgazzz

Netty provides this ability with their own SslContextBuilder for both client and server sides.

Ah OK. We do have a channelBuilderOverrides 'escape hatch' for Netty-specific customizations, but it looks like you don't have access to the SslContextBuilder from there unfortunately.

I can't create a client with akka to connect to my server.

Yeah, I got that. You can select using Akka HTTP instead of Netty for the client as well, and in that case we could perhaps add API to allow you to provide your own HttpsConnectionContext for the client - but we don't currently have that yet.

raboof avatar Aug 18 '21 14:08 raboof

@raboof greetings!

Is there anything on the roadmap to provide a HttpsConnectionContext for an HTTP/2 client? Seems like it's still missing.

BillyAutrey avatar Aug 01 '22 13:08 BillyAutrey

Any updates on this? Have an application that can't be used without being able to set a HttpsConnectionContext

benthecarman avatar Sep 17 '22 22:09 benthecarman