tower-grpc icon indicating copy to clipboard operation
tower-grpc copied to clipboard

Published 20 hours ago verified publisher icon tower-rs

TLS support

Open bbigras opened this issue 6 years ago • 13 comments

It seems tower-grpc doesn't support TLS yet. Would it be as simple as using TlsConnectorExt like in https://github.com/tokio-rs/tokio-tls/blob/90d33563033dcbd12000e72ad6cfd362bab30734/examples/download-rust-lang.rs ?

bbigras avatar Apr 22 '18 15:04 bbigras

tower-grpc doesn't do connection establishment at all. It's expected that a user gets a connection somehow, does the h2 handshake, and then constructs the grpc types with it.

So yes, you could use any TLS implementation before giving the connection to h2 and then grpc.

seanmonstar avatar Apr 22 '18 15:04 seanmonstar

The example is a bit out of date, but: https://github.com/carllerche/h2/blob/master/examples/akamai.rs

carllerche avatar Apr 25 '18 17:04 carllerche

Thanks!

By the way, this is the line that made me think TLS wasn't supported in the first place. I just searched "tls" on this repo. https://github.com/tower-rs/tower-grpc/blob/1c9480ef7ce5a6313c55afdfba4a4646dc676b04/tower-grpc-interop/src/client.rs#L502

bbigras avatar Apr 25 '18 17:04 bbigras

It might be just the interop test code doesn't support TLS yet.

carllerche avatar Apr 25 '18 17:04 carllerche

It might be just the interop test code doesn't support TLS yet.

@carllerche that's correct, I think the line @bbigras quoted was intended to say "tower-grpc-interop does not currently support TLS". That's my bad.

hawkw avatar Oct 08 '18 23:10 hawkw

Is there an example somewhere that is not out of date?

spacejam avatar Mar 14 '19 18:03 spacejam

Here's a server example using tokio-rustls that I hacked together which seems to work:

https://gist.github.com/brndnmtthws/2d6f321f4686bb7465c38f12400e5455

brndnmtthws avatar Apr 17 '19 12:04 brndnmtthws

Yo @brndnmtthws! would you mind including your Cargo.lock file to see specifically which versions of all of the various subcrates are being used? It has been time intensive trying to find a set of reasonably recent git revisions that compile together and allow for TLS + tower interop. The usage of extern crate in there makes me a little suspicious that it might be derived from fairly old examples.

spacejam avatar Apr 17 '19 12:04 spacejam

Yo @brndnmtthws! would you mind including your Cargo.lock file to see specifically which versions of all of the various subcrates are being used? It has been time intensive trying to find a set of reasonably recent git revisions that compile together and allow for TLS + tower interop. The usage of extern crate in there makes me a little suspicious that it might be derived from fairly old examples.

Hey Tyler. How's sled going?

Here's Cargo.lock: https://gist.github.com/brndnmtthws/6f27cb16e7a7e2cef2ef3d68bbcf7c0b

brndnmtthws avatar Apr 17 '19 14:04 brndnmtthws

I believe the latest master should be building fine here, do you know what issues you are seeing specifically? @spacejam

LucioFranco avatar Apr 17 '19 14:04 LucioFranco

Initial work is being worked on here https://github.com/tower-rs/tower-http/pull/19

LucioFranco avatar Apr 29 '19 19:04 LucioFranco

Working sample: https://gist.github.com/kiratp/dfcbcf0aa713a277d5d53b06d9db9308

First off: thanks to everyone who's built and shared working snippets over time.

The gist above works 100% reliably against a LetsEncrypt TLS backend.

Hopefully this helps others who are blocked while official support is still being worked on

kiratp avatar Aug 22 '19 17:08 kiratp

@kiratp Works great, thank you for putting this together! (Needed to drop https:// from the to_socket_addrs() part.)

davidvartan avatar Aug 23 '19 02:08 davidvartan