Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

advancedtls: unexport parts of API not meant to be public #7118

Merged
merged 5 commits into from
Apr 17, 2024
Merged

advancedtls: unexport parts of API not meant to be public #7118

merged 5 commits into from
Apr 17, 2024

Conversation

gtcooke94
Copy link
Contributor

@gtcooke94 gtcooke94 commented Apr 10, 2024
edited
Loading

ServerNameOverride is test-only
RevocationStatus, CheckRevocation, and CheckChainRevocation are not used externally and should not be exported

RELEASE NOTES: none

@gtcooke94 gtcooke94 added Type: Internal Cleanup Refactors, etc Type: Security A bug or other problem affecting security labels Apr 10, 2024
@gtcooke94 gtcooke94 added this to the 1.64 Release milestone Apr 10, 2024
matthewstevenson88
matthewstevenson88 approved these changes Apr 10, 2024
View reviewed changes
security/advancedtls/advancedtls.go Outdated Show resolved Hide resolved
erm-g
erm-g reviewed Apr 11, 2024
View reviewed changes
security/advancedtls/crl.go
@@ -192,25 +188,25 @@ func x509NameHash(r pkix.RDNSequence) string {
return fmt.Sprintf("%08x", fileHash)
}

// CheckRevocation checks the connection for revoked certificates based on RFC5280.
// checkRevocation checks the connection for revoked certificates based on RFC5280.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any usages of it inside the codebase, but it looks like it can be used as an embedded part of tls.Config. In case of OSS users use it that way, would it make sense just to mark it as deprecated (in favor of new CRL solution) and remove later?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you link what you mean? I didn't see any usage in grpc-go or in google

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

grpc-go/security/advancedtls/crl_test.go

Line 739 in 0baa668

cliCfg := tls.Config{

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For me, I think we should unexport - we don't want anyone depending on this. If someone is using it in this way currently, they can stay on a version of the advancedTLS package that has it until they move off.
It's not really something to deprecate, rather it's an internal API that was written with a capital letter

@dfawley what do you think here?

security/advancedtls/crl.go Show resolved Hide resolved
@gtcooke94 gtcooke94 requested a review from dfawley April 15, 2024 18:19
@dfawley dfawley removed the Type: Security A bug or other problem affecting security label Apr 17, 2024
@dfawley dfawley changed the title Unexport pieces of advancedTLS advancedtls: unexport parts of API not meant to be public Apr 17, 2024
@dfawley dfawley merged commit fc8da03 into grpc:master Apr 17, 2024
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matthewstevenson88 matthewstevenson88 matthewstevenson88 approved these changes

@erm-g erm-g erm-g left review comments

@dfawley dfawley dfawley approved these changes

Assignees

@dfawley dfawley

Labels
Type: Internal Cleanup Refactors, etc
Projects
None yet
Milestone
1.64 Release
Development

Successfully merging this pull request may close these issues.
4 participants
@gtcooke94 @dfawley @matthewstevenson88 @erm-g