Hi all, We are using self-signed certificates for enabling TLS between servers and clients. For that we create credentials for C++ server like this
std::shared_ptr<grpc::ServerCredentials> GetServerCredentials() { grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp; pkcp.private_key = readContent("certs\\private.pem"); pkcp.cert_chain = readContent("certs\\public.crt"); grpc::SslServerCredentialsOptions ssl_opts; ssl_opts.pem_key_cert_pairs.push_back(pkcp); std::shared_ptr<grpc::ServerCredentials> creds = grpc::SslServerCredentials(ssl_opts); return creds; } On C++ client side we specify server's self signed certificate on pem_root_certs to make it work. std::shared_ptr<grpc::ChannelCredentials> GetClientCredentials() { grpc::SslCredentialsOptions ssl_opts; ssl_opts.pem_root_certs =readContent("certs\\public.crt"); auto creds = grpc::SslCredentials(ssl_opts); return creds; } The problem is, our client's don't know servers certificates in advance. We do box software, we don't have control on app deployment and our software usually works in restricted networks without internet access. We see that Trust-On-First-Use is good option for us, but we failed to find any info how it can be implemented for c++ grpc client. OpenSSL has *SSL_CTX_set_verify* <https://wiki.openssl.org/index.php/SSL/TLS_Client#Callback> wich can be used to implement this. Is there similar callback for grpc? What is the best way to implement TOFU for grpc client? Thanks in advance! -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To post to this group, send email to grpc-io@googlegroups.com. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/f9199492-4b31-4ef3-abf8-e73eb9f50060%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.