|
|
@ -54,20 +54,33 @@ |
|
|
|
|
|
|
|
|
|
|
|
/* -- Constants. -- */ |
|
|
|
/* -- Constants. -- */ |
|
|
|
|
|
|
|
|
|
|
|
/* Defines the cipher suites that we accept. All these cipher suites are
|
|
|
|
|
|
|
|
compliant with TLS 1.2 and use an RSA public key. We prefer GCM over CBC |
|
|
|
|
|
|
|
and ECDHE-RSA over just RSA. */ |
|
|
|
|
|
|
|
#define GRPC_SSL_CIPHER_SUITES \ |
|
|
|
|
|
|
|
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:AES128-GCM-SHA256:" \
|
|
|
|
|
|
|
|
"AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-" \
|
|
|
|
|
|
|
|
"SHA256:AES256-SHA256" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifndef INSTALL_PREFIX |
|
|
|
#ifndef INSTALL_PREFIX |
|
|
|
static const char *installed_roots_path = "/usr/share/grpc/roots.pem"; |
|
|
|
static const char *installed_roots_path = "/usr/share/grpc/roots.pem"; |
|
|
|
#else |
|
|
|
#else |
|
|
|
static const char *installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem"; |
|
|
|
static const char *installed_roots_path = INSTALL_PREFIX "/share/grpc/roots.pem"; |
|
|
|
#endif |
|
|
|
#endif |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* -- Cipher suites. -- */ |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* Defines the cipher suites that we accept by default. All these cipher suites
|
|
|
|
|
|
|
|
are compliant with HTTP2. */ |
|
|
|
|
|
|
|
#define GRPC_SSL_CIPHER_SUITES \ |
|
|
|
|
|
|
|
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-" \
|
|
|
|
|
|
|
|
"SHA384:ECDHE-RSA-AES256-GCM-SHA384" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static gpr_once cipher_suites_once = GPR_ONCE_INIT; |
|
|
|
|
|
|
|
static const char *cipher_suites = NULL; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void init_cipher_suites(void) { |
|
|
|
|
|
|
|
char *overridden = gpr_getenv("GRPC_SSL_CIPHER_SUITES"); |
|
|
|
|
|
|
|
cipher_suites = overridden != NULL ? overridden : GRPC_SSL_CIPHER_SUITES; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static const char *ssl_cipher_suites(void) { |
|
|
|
|
|
|
|
gpr_once_init(&cipher_suites_once, init_cipher_suites); |
|
|
|
|
|
|
|
return cipher_suites; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
/* -- Common methods. -- */ |
|
|
|
/* -- Common methods. -- */ |
|
|
|
|
|
|
|
|
|
|
|
grpc_security_status grpc_security_context_create_handshaker( |
|
|
|
grpc_security_status grpc_security_context_create_handshaker( |
|
|
@ -489,7 +502,7 @@ grpc_security_status grpc_ssl_channel_security_context_create( |
|
|
|
result = tsi_create_ssl_client_handshaker_factory( |
|
|
|
result = tsi_create_ssl_client_handshaker_factory( |
|
|
|
config->pem_private_key, config->pem_private_key_size, |
|
|
|
config->pem_private_key, config->pem_private_key_size, |
|
|
|
config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs, |
|
|
|
config->pem_cert_chain, config->pem_cert_chain_size, pem_root_certs, |
|
|
|
pem_root_certs_size, GRPC_SSL_CIPHER_SUITES, alpn_protocol_strings, |
|
|
|
pem_root_certs_size, ssl_cipher_suites(), alpn_protocol_strings, |
|
|
|
alpn_protocol_string_lengths, num_alpn_protocols, &c->handshaker_factory); |
|
|
|
alpn_protocol_string_lengths, num_alpn_protocols, &c->handshaker_factory); |
|
|
|
if (result != TSI_OK) { |
|
|
|
if (result != TSI_OK) { |
|
|
|
gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
|
|
|
gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
|
|
@ -543,7 +556,7 @@ grpc_security_status grpc_ssl_server_security_context_create( |
|
|
|
(const unsigned char **)config->pem_cert_chains, |
|
|
|
(const unsigned char **)config->pem_cert_chains, |
|
|
|
config->pem_cert_chains_sizes, config->num_key_cert_pairs, |
|
|
|
config->pem_cert_chains_sizes, config->num_key_cert_pairs, |
|
|
|
config->pem_root_certs, config->pem_root_certs_size, |
|
|
|
config->pem_root_certs, config->pem_root_certs_size, |
|
|
|
GRPC_SSL_CIPHER_SUITES, alpn_protocol_strings, |
|
|
|
ssl_cipher_suites(), alpn_protocol_strings, |
|
|
|
alpn_protocol_string_lengths, num_alpn_protocols, &c->handshaker_factory); |
|
|
|
alpn_protocol_string_lengths, num_alpn_protocols, &c->handshaker_factory); |
|
|
|
if (result != TSI_OK) { |
|
|
|
if (result != TSI_OK) { |
|
|
|
gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
|
|
|
gpr_log(GPR_ERROR, "Handshaker factory creation failed with %s.", |
|
|
|