Hello,
SSL renegotiation represents a large attack surface, and historically has
caused security issues. Because of this we just haven't seen much interest
in it's use, so it hasn't been high up on the feature list to support. We
definitely wouldn't want it to be default-on, but I don't see a problem
with letting users opt-in to using the feature if they understand the risk.
I don't think the team has the cycles right now to implement this. We
welcome PRs if you would be interested in implementing it?
Gregory
On Thursday, September 28, 2023 at 5:20:24 AM UTC-4 Shikha Chowdhary wrote:
> Hello,
>
> I am working on version 1.0.0. As per code, SSL renegotiate isn't
> supported.
> Seems it's still not supported on latest version too. Any specific reason
> for not supporting it?
> - Latest stack code snippet
> tsi_result DoSslWrite(...) {
> ...
> int ssl_write_result = SSL_write(ssl, unprotected_bytes,
>
> static_cast<int>(unprotected_bytes_size));
> if (ssl_write_result < 0) {
> ssl_write_result = SSL_get_error(ssl, ssl_write_result);
> if (ssl_write_result == SSL_ERROR_WANT_READ) {
> gpr_log(GPR_ERROR,
> "Peer tried to renegotiate SSL connection. This is
> unsupported.");
> return TSI_UNIMPLEMENTED;
> ...
>
--
You received this message because you are subscribed to the Google Groups
"grpc.io" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to grpc-io+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/grpc-io/008b98bc-6f5d-4582-8be5-967d1b800b6fn%40googlegroups.com.
