feat(transport/channel): expose ServerCertVerifier API#2612
Merged
Conversation
LucioFranco
approved these changes
Apr 30, 2026
Merged
LucioFranco
pushed a commit
that referenced
this pull request
May 7, 2026
## 🤖 New release * `tonic`: 0.14.5 -> 0.14.6 (✓ API compatible changes) * `tonic-build`: 0.14.5 -> 0.14.6 (✓ API compatible changes) * `tonic-prost`: 0.14.5 -> 0.14.6 (✓ API compatible changes) * `tonic-health`: 0.14.5 -> 0.14.6 (✓ API compatible changes) * `tonic-types`: 0.14.5 -> 0.14.6 (✓ API compatible changes) * `tonic-reflection`: 0.14.5 -> 0.14.6 (✓ API compatible changes) * `tonic-prost-build`: 0.14.5 -> 0.14.6 (✓ API compatible changes) * `tonic-web`: 0.14.5 -> 0.14.6 (✓ API compatible changes) <details><summary><i><b>Changelog</b></i></summary><p> ## `tonic` <blockquote> ## [0.14.6](tonic-v0.14.5...tonic-v0.14.6) - 2026-05-06 ### Added - *(transport/channel)* expose ServerCertVerifier API ([#2612](#2612)) ### Fixed - map no trailers ok status to unknown ([#2543](#2543)) ### Other - add max_frame_size to client Endpoint ([#2592](#2592)) - Allow setting the HTTP/2 client header table size ([#2582](#2582)) - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> ## `tonic-build` <blockquote> ## [0.14.6](tonic-build-v0.14.5...tonic-build-v0.14.6) - 2026-05-06 ### Other - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> ## `tonic-prost` <blockquote> ## [0.14.6](tonic-prost-v0.14.5...tonic-prost-v0.14.6) - 2026-05-06 ### Other - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> ## `tonic-health` <blockquote> ## [0.14.6](tonic-health-v0.14.5...tonic-health-v0.14.6) - 2026-05-06 ### Other - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> ## `tonic-types` <blockquote> ## [0.14.6](tonic-types-v0.14.5...tonic-types-v0.14.6) - 2026-05-06 ### Other - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> ## `tonic-reflection` <blockquote> ## [0.14.6](tonic-reflection-v0.14.5...tonic-reflection-v0.14.6) - 2026-05-06 ### Other - fix panic when client drops connection early ([#2596](#2596)) - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> ## `tonic-prost-build` <blockquote> ## [0.14.6](tonic-prost-build-v0.14.5...tonic-prost-build-v0.14.6) - 2026-05-06 ### Other - Support well known types resolved by prost to their rust counterparts ([#2544](#2544)) - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> ## `tonic-web` <blockquote> ## [0.14.6](tonic-web-v0.14.5...tonic-web-v0.14.6) - 2026-05-06 ### Other - update rust edition and version to 2024 and 1.88, respectively ([#2525](#2525)) </blockquote> </p></details> --- This PR was generated with [release-plz](https://github.com/release-plz/release-plz/). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
YutaoMa
added a commit
that referenced
this pull request
May 12, 2026
## Motivation Ref: #2444 Continues the gRFC A29 (xDS-Based TLS Security) work in `tonic-xds`. The cert provider foundation merged in #2593 gives us a pluggable source of trust roots and identity. The next step toward end-to-end mTLS in the data plane is to parse the cluster's TLS config from xDS, validate server certs against the configured trust roots, and apply SAN matching on top of WebPKI chain validation. This PR adds the building blocks for that validation. Integration with the connector factory is deferred to a follow-up PR — see below. ## Solution - **StringMatcher extraction** (`xds/resource/string_matcher.rs`): pulled out of `routing.rs` so it can be reused. The SAN matcher uses it for the string-comparison primitives. - **UpstreamTlsContext parsing** (`xds/resource/security.rs`): parses `envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext` into a typed config. - **SAN matcher** (`xds/resource/san_matcher.rs`): RFC 6125 wildcard DNS matching, RFC 5952 IP canonicalization, plus URI, EMAIL, and OTHER_NAME paths matching using the above extracted `StringMatcher`. - **A29 `ServerCertVerifier`** (`xds/cert_provider/verifier.rs`): wraps `WebPkiServerVerifier` and applies SAN matching after standard chain validation. Sources trust roots from the existing `CertProviderRegistry`. All new types are tested in isolation against synthetic certs. ### Why integration is deferred The tonic-side hook for installing a custom rustls `ServerCertVerifier` on a `Channel` is still in flight as #2612. Without that API, the verifier can't be wired into the per-cluster connector from a downstream crate. --------- Co-authored-by: Jeff Jiang <jefjiang@linkedin.com>
YutaoMa
added a commit
that referenced
this pull request
May 26, 2026
## Motivation Ref: #2444 Closes out gRFC A29 (xDS-Based TLS Security) in `tonic-xds`. The cert provider foundation merged in #2593 and #2616 left the connector integration deferred — its pre-req `Endpoint::tls_config_with_verifier` landed in #2612. With that hook available, this PR wires up the per-cluster TLS connector. ## Solution Five commits, each independently reviewable: - `file_watcher` background refresh. - Eager cert parsing in cert provider, verifier access it per handshake. - Atomically swap `Connector` on CDS update. Existing endpoint channels keep their connector; new connections pick up the latest. Invalid CDS updates are logged and the previous-good connector is kept. - **Data-plane `TlsConnector`** — for clusters with `Some(security)`, the connector holds the A29 verifier plus an optional identity provider (mTLS). `connect()` fetches identity per call, assembles a `ClientTlsConfig`, and builds the endpoint. - Docs + dead_code cleanup
This was referenced Jun 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Ref: #2444
tonic::transport::ClientTlsConfigcurrently builds therustls::ClientConfiginternally with the defaultWebPkiServerVerifier. There's no way to inject a customServerCertVerifierwithout abandoningClientTlsConfigand going throughEndpoint::connect_with_connector_lazy, which means reimplementing TCP + TLS handshake + ALPN enforcement + timeout handling that tonic already provides correctly.This blocks gRFC A29 (xDS-Based TLS Security) SAN matching feature which we are adding to
tonic-xds.Solution
Adds
Endpoint::tls_config_with_verifier(ClientTlsConfig, Arc<dyn ServerCertVerifier>). When invoked,TlsConnector::newbuilds theClientConfigvia.dangerous().with_custom_certificate_verifier(...)instead of the default root-store path. SNI, ALPN, timeout, identity, and key-log continue to apply.Design Highlights
API placement on
Endpointrather thanClientTlsConfig: Adding the verifier as a field onClientTlsConfigwould require storingArc<dyn ServerCertVerifier>. Since theServerCertVerifiertrait carries noUnwindSafe + RefUnwindSafebounds, thedyntype does not propagate either auto trait, which would silently stripClientTlsConfig's existingUnwindSafe + RefUnwindSafeimpls — a semver-breaking auto-trait removal flagged bycargo-semver-checks. Placing the method onEndpoint(which is already!UnwindSafe) avoids the regression and keeps the verifier opt-in, scoped to users who explicitly need it.Conflict detection: combining a custom verifier with
ca_certificate,ca_certificates,trust_anchor,trust_anchors,with_*_rootsreturnsTlsError::VerifierConflictat connector-construction time. A custom verifier replaces the entire default-verifier path including its trust roots, so the CA-configuration methods would be silently ignored. We chose to emit an explicit error to help prevent such footguns. Users who want both standard WebPKI behavior and additional checks can composeWebPkiServerVerifierinside their custom verifier with their own root store (as is planned for tonic-xds A29 implementation).