Skip to content

ROX-31430: delegate TLS to host implementation #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Molter73 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

ROX-31430: delegate TLS to host implementation #168

Molter73 wants to merge 1 commit into from

Conversation

@Molter73
Copy link
Collaborator

@Molter73 Molter73 commented Dec 9, 2025
edited
Loading

Description

With this patch, we move away from using the tonic provided TLS implementation to injecting a manually built native-tls connector, then using that to create a hyper HttpsConnector and finally telling tonic to use that connector for handling the underlying HTTPs connections needed for gRPC. In case no TLS certificates are provided, plain HTTP is used.

With native-tls TLS will be handled by the OS implementation, which in linux will default to openssl. This is important for FIPS compliance, since having a FIPS compliant openssl implementation will automatically allow us to be FIPS compliant by proxy.

Checklist

  • Investigated and inspected CI test results
  • Updated documentation accordingly

Automated testing

  • Added unit tests
  • Added integration tests
  • Added regression tests

If any of these don't apply, please comment below.

Testing Performed

Run fact on a stackrox deployment and validated it connected to sensor correctly.

@neverpanic
Copy link

neverpanic commented Dec 15, 2025

I would recommend using native_tls and leaving FIPS compliance to the host operating system.

@Molter73 Molter73 marked this pull request as draft December 16, 2025 08:57
@Molter73
Copy link
Collaborator Author

Molter73 commented Dec 16, 2025

I would recommend using native_tls and leaving FIPS compliance to the host operating system.

I've changed the approach but haven't pushed out the commit yet, I'm getting a weird error when connecting to sensor with native_tls. I will update the PR once I get everything working correctly. Thanks for the suggestion @neverpanic!

@Molter73 Molter73 force-pushed the mauro/ROX-31430/fips-compliance branch 5 times, most recently from 9e479d3 to 9152bb4 Compare December 17, 2025 14:20
@Molter73 Molter73 changed the title ROX-31430: use FIPS mode for gRPC communication ROX-31430: delegate TLS to host implementation Dec 17, 2025
@Molter73 Molter73 force-pushed the mauro/ROX-31430/fips-compliance branch from 9152bb4 to 0d718b7 Compare December 17, 2025 15:06
@Molter73 Molter73 marked this pull request as ready for review December 17, 2025 15:47
@Molter73
ROX-31430: use FIPS mode for gRPC communication
9f1b0d8 
With this patch, we move away from using the tonic provided TLS
implementation to injecting a manually built native-tls configuration,
then using that to create a hyper HttpsConnector and finally telling
tonic to use that connector for handling the underlying HTTPs
connections needed for gRPC. In case no TLS certificates are provided,
plain HTTP is used.
@Molter73 Molter73 force-pushed the mauro/ROX-31430/fips-compliance branch from 0d718b7 to 9f1b0d8 Compare December 18, 2025 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Molter73 @neverpanic