grpc icon indicating copy to clipboard operation
grpc copied to clipboard

Published 20 hours ago verified publisher icon grpc

Add TLS verify callback for Python

Open zizhong opened this issue 2 years ago • 8 comments

Is your feature request related to a problem? Please describe.

Currently no way to set SSL verify callback when using a python grpc client.

Describe the solution you'd like

A clear and concise description of what you want to happen.

https://github.com/grpc/grpc/pull/12656 could work but didn't get merged.

zizhong avatar Mar 16 '23 05:03 zizhong

If @zizhong or I were to contribute this, would it be reviewed and hopefully accepted into the project?

octaviansima avatar Mar 22 '23 18:03 octaviansima

Friendly ping. @gnossen @XuanWang-Amos Please let us know if it makes sense to you guys! Thanks!

zizhong avatar Mar 27 '23 23:03 zizhong

I would definitely welcome this contribution, but I'll also give @ZhenLian a chance to comment.

The place to start on this would be with a gRFC.

gnossen avatar Mar 27 '23 23:03 gnossen

Some thoughts - There exists this functionality in C as an experimental API - https://github.com/grpc/grpc/blob/2cd1501ca5ec0cf7db9fd63dd07508b54eaf8d4d/include/grpc/grpc_security.h#L961-L1042

So it shouldn't be too difficult for a wrapped language to do this, just with the understanding that it is still experimental at this point

gtcooke94 avatar Mar 29 '23 14:03 gtcooke94

@ZhenLian does not work on gRPC security any more. cc @erm-g as the current lead.

Just to supplement some context to what @gtcooke94 said, it seems #12656 and #16395 gave way to https://github.com/grpc/proposal/pull/98 and subsequently https://github.com/grpc/proposal/pull/205, which includes the grpc_tls_certificate_verifier_external above. Apart from it being experimental, using this also means you would have to switch your client to using this new set of APIs entirely to set up channel credentials.

rockspore avatar Mar 29 '23 16:03 rockspore

Thanks! Those are very helpful information. Will look into it! cc @octaviansima

zizhong avatar Mar 29 '23 17:03 zizhong

Again, we welcome any contributions, for this particular case, I think the following needs to be done:

  1. Verify the C experimental API grpc_tls_certificate_verifier_external is working as intended now.
  2. Design a way to use this API in Python and create a gRFC (One thing we're interested to know is how do you plan to call back to Python).
  3. Review the gRFC and implement it.
  4. Don't forget tests :).

XuanWang-Amos avatar Mar 29 '23 20:03 XuanWang-Amos

Would love to see this implemented! Specifically, the ability to disable certificate verification on the client side when using a secure channel would be extremely helpful in cases where the server generates certificates on the fly and is hidden behind a load balancer/proxy. This is something that pretty much every other language's client implementation supports today.

shevisj avatar Jul 03 '24 05:07 shevisj