If I’m on a proxied network though, providing a custom root certificate breaks down communications because essentially you are pinning the connection. Hence why for most systems is just a matter of dynamically looking into the system installed certificate chain and then using that, which unfortunately isn’t available in Apple platforms.
That’s the problem we’re facing btw, some of our clients use a proxied environment and when they try to connect via proxy, the trusted certificate chain is different from the custom one embedded in the app which makes gRPC reject the connection. On Thu, 4 Aug 2022 at 7:25 am, 'Denny Dai' via grpc.io < grpc-io@googlegroups.com> wrote: > For iOS, you can take a look at an example of our gRPC ObjC transport that > implemented support for SSL/TLS (GRPCSecureChannelFactory > <https://github.com/grpc/grpc/blob/master/src/objective-c/GRPCClient/private/GRPCCore/GRPCSecureChannelFactory.m>). > If you provide your own root cert, you can create the channel credential > using grpc_ssl_credentials_create > <https://github.com/grpc/grpc/blob/a5cab10d6f1a810c484a0fb3018b082d3b4c9c6f/include/grpc/grpc_security.h#L255> > (or > one of its newer variants) and then associated it with each new channel > that you created. > You can find some usage examples of these in our interop test suites (e.g. > InteropTestsLocalSSL > <https://github.com/grpc/grpc/blob/master/src/objective-c/tests/InteropTests/InteropTestsLocalSSL.m>). > Hope this helps. > > Denny > > On Thursday, April 7, 2022 at 9:19:03 PM UTC-7 vitor.trav...@gmail.com > wrote: > >> Hi! >> >> Asking the engineers here to see if I understood it correctly. >> In our project we use a shared library built in C++ that we share across >> iOS/Android for shared synchronisation code (and that uses gRPC C++). >> We're trying to make sure TLS is implemented properly over the gRPC >> channels we create, especially under proxies/VPNs. >> >> From what I understand, the channel would take in the result of >> grpc::SslCredentials() that takes in options containing either >> `pem_cert_chain` (by documentation, the client certificate chain) or >> `pem_root_certs` (by documentation, the server certs). >> >> Here are the questions: >> >> 1. As the client, am I supposed to provide the system certificate chain >> (and the installed certificates) into `pem_cert_chain` or `pem_root_certs`? >> 2. iOS applications are sandboxed. This means we do not have access to >> the system certificate chain (and the installed certificates) directly so >> we can fill the properties there. However, we can use SecTrust >> <https://developer.apple.com/documentation/security/certificate_key_and_trust_services/trust> >> from the native side to evaluate a received server certificate against the >> installed certificate chain. From what I understand grpc::SslCredentials() >> returns an object of type grpc::SecureChannelCredentials. Is the right way >> to go about this to inherit that class and provide then our own custom >> implementation of evaluating the server certificates by using the native >> API? Or would that be a rabbit hole? Is there any example of doing so? Note >> that we want still to use TLS/SSL as is, just the way we want to validate >> the certificates need to be different. >> >> Thanks! >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "grpc.io" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/grpc-io/jB1NDz7Fm6I/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > grpc-io+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/grpc-io/ddfc461f-77cf-4986-a58b-8dcf040eea92n%40googlegroups.com > <https://groups.google.com/d/msgid/grpc-io/ddfc461f-77cf-4986-a58b-8dcf040eea92n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- *Vitor Travain* *iOS Engineer* email: vitor.travain.agu...@gmail.com github: corujautx <https://github.com/corujautx> phone: +61 0410 211 869 -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CAAk3UB1Qof7EqQaOEwLnfhuwxfnvNzQK1Q1g%2Bsj3pLrkhSag8w%40mail.gmail.com.
