class TlsCredentialsOptions

class TlsCredentialsOptions

Defined at line 40 of file ../../third_party/grpc-migrating/src/include/grpcpp/security/tls_credentials_options.h

Base class of configurable options specified by users to configure their

certain security features supported in TLS. It is used for experimental

purposes for now and it is subject to change.

Public Methods

void TlsCredentialsOptions ()

Constructor for base class TlsCredentialsOptions.

Parameters

certificate_provider the provider which fetches TLS credentials that will be used in the TLS handshake 
void ~TlsCredentialsOptions ()
void TlsCredentialsOptions (const TlsCredentialsOptions & other)

Copy constructor does a deep copy of the underlying pointer. No assignment

permitted

TlsCredentialsOptions & operator= (const TlsCredentialsOptions & other)

Defined at line 52 of file ../../third_party/grpc-migrating/src/include/grpcpp/security/tls_credentials_options.h

void set_certificate_provider (std::shared_ptr<CertificateProviderInterface> certificate_provider)

---- Setters for member fields ----

Sets the certificate provider used to store root certs and identity certs.

void watch_root_certs ()

Watches the updates of root certificates with name |root_cert_name|.

If used in TLS credentials, setting this field is optional for both the

client side and the server side.

If this is not set on the client side, we will use the root certificates

stored in the default system location, since client side must provide root

certificates in TLS(no matter single-side TLS or mutual TLS).

If this is not set on the server side, we will not watch any root

certificate updates, and assume no root certificates needed for the server

(in the one-side TLS scenario, the server is not required to provide root

certs). We don't support default root certs on server side.

void set_root_cert_name (const std::string & root_cert_name)

Sets the name of root certificates being watched, if |watch_root_certs| is

called. If not set, an empty string will be used as the name.

Parameters

root_cert_name the name of root certs being set. 
void watch_identity_key_cert_pairs ()

Watches the updates of identity key-cert pairs with name

|identity_cert_name|. If used in TLS credentials, it is required to be set

on the server side, and optional for the client side(in the one-side

TLS scenario, the client is not required to provide identity certs).

void set_identity_cert_name (const std::string & identity_cert_name)

Sets the name of identity key-cert pairs being watched, if

|watch_identity_key_cert_pairs| is called. If not set, an empty string will

be used as the name.

Parameters

identity_cert_name the name of identity key-cert pairs being set. 
void set_tls_session_key_log_file_path (const std::string & tls_session_key_log_file_path)

Sets the Tls session key logging configuration. If not set, tls

session key logging is disabled. Note that this should be used only for

debugging purposes. It should never be used in a production environment

due to security concerns.

Parameters

tls_session_key_log_file_path: Path where tls session keys would be logged. 
void set_certificate_verifier (std::shared_ptr<CertificateVerifier> certificate_verifier)

Sets the certificate verifier used to perform post-handshake peer identity

checks.

void set_check_call_host (bool check_call_host)

Sets the options of whether to check the hostname of the peer on a per-call

basis. This is usually used in a combination with virtual hosting at the

client side, where each individual call on a channel can have a different

host associated with it.

This check is intended to verify that the host specified for the individual

call is covered by the cert that the peer presented.

We will perform such checks by default. This should be disabled if

verifiers other than the host name verifier is used.

Deprecated: This function will be removed in the 1.66 release. This will be

replaced by and handled within the custom verifier settings.

void set_crl_directory (const std::string & path)

Deprecated in favor of set_crl_provider. The

crl provider interface provides a significantly more flexible approach to

using CRLs. See gRFC A69 for details.

If set, gRPC will read all hashed x.509 CRL files in the directory and

enforce the CRL files on all TLS handshakes. Only supported for OpenSSL

version > 1.1.

Deprecated: This function will be removed in the 1.66 release. Use the

set_crl_provider function instead.

void set_crl_provider (std::shared_ptr<CrlProvider> crl_provider)
void set_min_tls_version (grpc_tls_version tls_version)

Sets the minimum TLS version that will be negotiated during the TLS

handshake. If not set, the underlying SSL library will use TLS v1.2.

Parameters

tls_version: The minimum TLS version. 
void set_max_tls_version (grpc_tls_version tls_version)

Sets the maximum TLS version that will be negotiated during the TLS

handshake. If not set, the underlying SSL library will use TLS v1.3.

Parameters

tls_version: The maximum TLS version. 
grpc_tls_credentials_options * c_credentials_options ()

----- Getters for member fields ----

Returns a deep copy of the internal c options. The caller takes ownership

of the returned pointer. This function shall be used only internally.

Protected Methods

grpc_tls_credentials_options * mutable_c_credentials_options ()

Returns the internal c options. The caller does not take ownership of the

returned pointer.

Defined at line 139 of file ../../third_party/grpc-migrating/src/include/grpcpp/security/tls_credentials_options.h