Hi all,
We are using self-signed certificates for enabling TLS between servers and
clients. For that we create credentials for C++ server like this
std::shared_ptr<grpc::ServerCredentials> GetServerCredentials()
{
grpc::SslServerCredentialsOptions::PemKeyCertPair pkcp;
pkcp.private_key = readContent("certs\\private.pem");
pkcp.cert_chain = readContent("certs\\public.crt");
grpc::SslServerCredentialsOptions ssl_opts;
ssl_opts.pem_key_cert_pairs.push_back(pkcp);
std::shared_ptr<grpc::ServerCredentials> creds =
grpc::SslServerCredentials(ssl_opts);
return creds;
}
On C++ client side we specify server's self signed certificate on
pem_root_certs to make it work.
std::shared_ptr<grpc::ChannelCredentials> GetClientCredentials()
{
grpc::SslCredentialsOptions ssl_opts;
ssl_opts.pem_root_certs =readContent("certs\\public.crt");
auto creds = grpc::SslCredentials(ssl_opts);
return creds;
}
The problem is, our client's don't know servers certificates in advance. We
do box software, we don't have control on app deployment and our software
usually works in restricted networks without internet access.
We see that Trust-On-First-Use is good option for us, but we failed to find
any info how it can be implemented for c++ grpc client.
OpenSSL has *SSL_CTX_set_verify*
<https://wiki.openssl.org/index.php/SSL/TLS_Client#Callback> wich can be
used to implement this. Is there similar callback for grpc?
What is the best way to implement TOFU for grpc client?
Thanks in advance!
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To post to this group, send email to grpc-io@googlegroups.com.
Visit this group at https://groups.google.com/group/grpc-io.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/f9199492-4b31-4ef3-abf8-e73eb9f50060%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
