-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WASI] Options for implementing wasi-tls proposal #109569
Comments
Tagging subscribers to this area: @dotnet/ncl, @bartonjs, @vcsjones |
I'm in favor of Option 2 since it allows us to keep |
Tagging subscribers to 'arch-wasm': @lewing |
I also prefer option 2 but I would like to hear more about the gaps. I suggest that we have conf call about it in week of 17/11 |
I've started to work on option 2 and will report back once I have something to look at |
I've got option 2, working on a branch: main...jsturtevant:runtime:wasi-tls-2. I am not sure if its worth opening a PR for now since its using a custom host implementation not wasmtime. I think the next steps would be to help WebAssembly/wasi-sockets#100 move forward. |
There is a proposal for adding tls support in wasi-sockets. After adding socket support it makes sense to enable more scenarios with were tls is required. One instance would be using SqlClient.
We've done a few prototypes to figure out how this might work with dotnet:
The first was an implementation using the public API but done out of tree. We used that to prove we could use it with minimal changes to SqlClient.
The second is where I attempted to use the existing
SSLStream
design and PAL layer with the wasi-tls interfaces. I was able to get it to successfully work but found several issues with the approach.In the second approach there is a mismatch between the level of the wasi-tls design and the existing
SslStream
implementation. wasi-tls operates on a transparent stream delegating the handling to the Host. In dotnet'sSslStream
implementation, theSslStream
class handles all of the I/O, tls frame processing, and sends the frames one by one to the SSL context. Since we don't have that level of the SSL context exposed via the wasi-tls interface, and all the processing is happening asynchronously on the host side there is an issue of knowing when all the content has been sent to the host a fully processed by the SSL context and sent back to the guest to be forwarded on the socket layer.I can think of a few of options to move forward (maybe more if I am missing something, which I might be):
SslStream
class. The downside to this is that thee wasi-tls interface is simple and easy to understand as designed today. It keeps the details out of the guest implementation and lets the host handle the complexity.SslStream
library for WASI that by-passes the current PAL abstraction around SSL and fills in the parts that make sense for wasi-tls in the public API. This would be somewhat similar to the first prototype implementation and be similar tohttphandler
.Looking for some feedback on the various approaches.
/cc @pavelsavara @dicej
The text was updated successfully, but these errors were encountered: