For iOS, you can take a look at an example of our gRPC ObjC transport that implemented support for SSL/TLS (GRPCSecureChannelFactory <https://github.com/grpc/grpc/blob/master/src/objective-c/GRPCClient/private/GRPCCore/GRPCSecureChannelFactory.m>). If you provide your own root cert, you can create the channel credential using grpc_ssl_credentials_create <https://github.com/grpc/grpc/blob/a5cab10d6f1a810c484a0fb3018b082d3b4c9c6f/include/grpc/grpc_security.h#L255> (or one of its newer variants) and then associated it with each new channel that you created. You can find some usage examples of these in our interop test suites (e.g. InteropTestsLocalSSL <https://github.com/grpc/grpc/blob/master/src/objective-c/tests/InteropTests/InteropTestsLocalSSL.m>). Hope this helps.
Denny On Thursday, April 7, 2022 at 9:19:03 PM UTC-7 vitor.trav...@gmail.com wrote: > Hi! > > Asking the engineers here to see if I understood it correctly. > In our project we use a shared library built in C++ that we share across > iOS/Android for shared synchronisation code (and that uses gRPC C++). > We're trying to make sure TLS is implemented properly over the gRPC > channels we create, especially under proxies/VPNs. > > From what I understand, the channel would take in the result of > grpc::SslCredentials() that takes in options containing either > `pem_cert_chain` (by documentation, the client certificate chain) or > `pem_root_certs` (by documentation, the server certs). > > Here are the questions: > > 1. As the client, am I supposed to provide the system certificate chain > (and the installed certificates) into `pem_cert_chain` or `pem_root_certs`? > 2. iOS applications are sandboxed. This means we do not have access to the > system certificate chain (and the installed certificates) directly so we > can fill the properties there. However, we can use SecTrust > <https://developer.apple.com/documentation/security/certificate_key_and_trust_services/trust> > > from the native side to evaluate a received server certificate against the > installed certificate chain. From what I understand grpc::SslCredentials() > returns an object of type grpc::SecureChannelCredentials. Is the right way > to go about this to inherit that class and provide then our own custom > implementation of evaluating the server certificates by using the native > API? Or would that be a rabbit hole? Is there any example of doing so? Note > that we want still to use TLS/SSL as is, just the way we want to validate > the certificates need to be different. > > Thanks! > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/ddfc461f-77cf-4986-a58b-8dcf040eea92n%40googlegroups.com.
