tonic icon indicating copy to clipboard operation
tonic copied to clipboard
verified publisher icon hyperium

feat(tls): AWS Libcrypto Support

Open jenr24-architect opened this issue 1 year ago • 2 comments

Motivation

I want to use aws-lc-rs with tonic.

Solution

adds a feature flag tls-aws-lc in parallel to tls, removed tls feature flag dependency from tls-*-roots features

jenr24-architect avatar Oct 16 '24 21:10 jenr24-architect

@jenr24-architect could you try to force push again to see if we can get CI to kick off again?

LucioFranco avatar Oct 18 '24 13:10 LucioFranco

@jenr24-architect could you try to force push again to see if we can get CI to kick off again?

Does it have to be a force push?? It doesn't look like my last push triggered it

jenr24-architect avatar Oct 18 '24 21:10 jenr24-architect

With this change, users can enable both ring and aws-lc-rs, and when they enable both at the same time, users will need to specify which of these they want to use as the default provider. This setting was already an exposed dependency of rustls as an interface for setting the default provider for rustls, but this was not an issue until now as only ring was supported. I think it would be needed to wrap these configuration APIs in tonic so that users can set which crypto provider to use when both are enabled in order to allow us to use rustls as an internal dependency. It also seems necessary to state that setting the default provider using rustls directly is not intended to be stable for tonic.

tottoto avatar Oct 23 '24 21:10 tottoto

With this change, users can enable both ring and aws-lc-rs, and when they enable both at the same time, users will need to specify which of these they want to use as the default provider. This setting was already an exposed dependency of rustls as an interface for setting the default provider for rustls, but this was not an issue until now as only ring was supported. I think it would be needed to wrap these configuration APIs in tonic so that users can set which crypto provider to use when both are enabled in order to allow us to use rustls as an internal dependency. It also seems necessary to state that setting the default provider using rustls directly is not intended to be stable for tonic.

I had thought about this -- I initially had written some code to add ClientTlsConfig::provider(provider: rustls::CryptoProvider) and ServerTlsConfig::provider(provider: rustls::CryptoProvider) so that I could write both a connect_handles_tls_ring and connect_handles_tls_aws_lc integration test, but the scope of that change started to get out of hand.

I would be willing to add that feature, in either this or a separate PR if we're interested in adding that functionality :)

jenr24-architect avatar Oct 23 '24 23:10 jenr24-architect

@jenr24-architect looks like there are some more CI failures

LucioFranco avatar Oct 25 '24 20:10 LucioFranco

@LucioFranco The CI failure does not seem to be caused by this pull request's change. I opened #2021 to address it.

tottoto avatar Oct 25 '24 22:10 tottoto

merged master after #2021 merged, this PR is ready for CI to re-run and to enter the merge queue

jenr24-architect avatar Nov 05 '24 18:11 jenr24-architect