Feature Request
Motivation
ClientTlsConfig and ServerTlsConfig build their rustls configuration from
CryptoProvider::get_default() (in channel/service/tls.rs and
server/service/tls.rs), falling back to the provider selected by the
tls-ring or tls-aws-lc feature. There is no way to set the CryptoProvider
for a specific channel or server.
So an application that wants a non-default provider, for example a FIPS build or
a provider that constrains the cipher suites and key-exchange groups (such as a
post-quantum profile), can only do so by installing it process-wide with
CryptoProvider::install_default. That is all or nothing: it forces every
rustls user in the process onto the same provider, which is often undesirable
when only some connections should use the custom posture.
Proposal
Add a with_provider builder method to both configs:
impl ClientTlsConfig {
pub fn with_provider(self, provider: Arc<rustls::crypto::CryptoProvider>) -> Self;
}
impl ServerTlsConfig {
pub fn with_provider(self, provider: Arc<rustls::crypto::CryptoProvider>) -> Self;
}
When set, tonic builds the rustls config with builder_with_provider(provider)
instead of get_default(); roots, identity, ALPN, and client auth are layered
on top unchanged. The field is optional and defaults to current behavior, so it
is backward compatible.
This mirrors the existing escape hatch for custom certificate verifiers (#2612),
and composes with tonic's existing configuration rather than replacing it, which
avoids the conflicts a full ClientConfig/ServerConfig override would
introduce with roots, identity, and ALPN.
I have an implementation ready and will open a PR.
Feature Request
Motivation
ClientTlsConfigandServerTlsConfigbuild their rustls configuration fromCryptoProvider::get_default()(inchannel/service/tls.rsandserver/service/tls.rs), falling back to the provider selected by thetls-ringortls-aws-lcfeature. There is no way to set theCryptoProviderfor a specific channel or server.
So an application that wants a non-default provider, for example a FIPS build or
a provider that constrains the cipher suites and key-exchange groups (such as a
post-quantum profile), can only do so by installing it process-wide with
CryptoProvider::install_default. That is all or nothing: it forces everyrustls user in the process onto the same provider, which is often undesirable
when only some connections should use the custom posture.
Proposal
Add a
with_providerbuilder method to both configs:When set, tonic builds the rustls config with
builder_with_provider(provider)instead of
get_default(); roots, identity, ALPN, and client auth are layeredon top unchanged. The field is optional and defaults to current behavior, so it
is backward compatible.
This mirrors the existing escape hatch for custom certificate verifiers (#2612),
and composes with tonic's existing configuration rather than replacing it, which
avoids the conflicts a full
ClientConfig/ServerConfigoverride wouldintroduce with roots, identity, and ALPN.
I have an implementation ready and will open a PR.