> > Unless the community position is to let the users themselves build the > grpc lib with whatever opssl version they prefer. >
gRPC only builds with BoringSSL with Bazel and can build with a list of supported OpenSSL versions with CMake. The OpenSSL is not packaged inside the library. As a user of C++ gRPC standard library, I have hard time to understand why > this pkcs#11 access to TLS credentials is not provided as part of the > standard gRPC API. > I think the simple answer is that we don't see many use cases or requests for this. And external contributions are always welcomed. On Mon, Sep 18, 2023 at 6:00 AM GoogleUser Zak <hkm...@gmail.com> wrote: > As a user of C++ gRPC standard library, I have hard time to understand why > this pkcs#11 access to TLS credentials is not provided as part of the > standard gRPC API. This way the user will not have to worry about re > building the library. > > Therefore, regarding which openssl version to use, if it is packaged > inside the grpc library, then it will just depend on which version of grpc > lib is being used. > So, moving to a new openssl version would just require the user to upgrade > their grpc library to a new grpc version. > > Unless the community position is to let the users themselves build the > grpc lib with whatever opssl version they prefer. > > If someone can shed some light on this, it would be greatly appreciated. > > Thanks > > > On Wed, Sept 13, 2023, 3:59 p.m. 'Luwei Ge' via grpc.io < > grpc-io@googlegroups.com> wrote: > >> Hi, >> >> I assume you are building gRPC with OpenSSL. >> >> 1. We do have some support for the Engine APIs ( >> https://github.com/grpc/grpc/blob/6534f0a6bfc1cfae6db931f9ee16f480de980374/src/core/tsi/ssl_transport_security.cc#L568) >> of OpenSSL 1.0.2. Unfortunately, because the feature was implemented quite >> a while ago, the test ( >> https://github.com/grpc/grpc/blob/3717ff04bafd18504d8613d753d4605927305de3/test/core/end2end/h2_ssl_cert_test.cc#L263) >> has been broken and yet to be fixed. Regardless of the test, if we assume >> this still works, would it accommodate your use case? Note that you'd be >> locked into OpenSSL 1.0.2. >> >> 2. If the option 1 above is not viable but OpenSSL Engine APIs will >> indeed solve your problem. Would you be interested in contributing to >> supporting this feature for more recent OpenSSL versions (namely, OpenSSL >> 3)? >> >> Please let us know if you got any questions. >> >> Best, >> Luwei >> >> >> On Saturday, September 9, 2023 at 5:29:20 PM UTC-4 GoogleUser Zak wrote: >> >>> Hi, >>> I am looking for a GRPC library implementation/version where a C++ gRPC >>> client, namely CreateChannel(), can refer to the mTLS private key using >>> PKCS#11 URI, and therefore the private key doesn't need to be read in the >>> user space, and will stay in the HSM secure memory. >>> >>> Is there a way to use openSSL with pkcs11 engine in the gRPC library? If >>> so, any pointers about how to create that gRPC library? >>> >>> Thanks >>> -- >>> Hakim >>> >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "grpc.io" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to grpc-io+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/grpc-io/8d002db7-98f7-4a8d-a472-a8e782f934a2n%40googlegroups.com >> <https://groups.google.com/d/msgid/grpc-io/8d002db7-98f7-4a8d-a472-a8e782f934a2n%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CANHVheP%2BGRp1u%2B%3DeJnREwdAQv%3DjC80jMKsbjErgJzN6M_%3DH%2BXQ%40mail.gmail.com.
