[GODRIVER-1435] Please add tlsCertificateFile and tlsKeyFile connection string options. Created: 11/Dec/19 Updated: 28/Oct/23 Resolved: 14/Jan/20 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.3.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Fung-Chai LIM | Assignee: | Divjot Arora (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Description |
|
Currently, there is only the tlsCertificateKeyFile option (https://docs.mongodb.com/manual/reference/connection-string/) but the file must contain both certificate and key (mongo/options/clientoptions.go). The crypto/tls package provides the LoadX509KeyPair function that "reads and parses a public/private key pair from a pair of files." In light of this, it should follow that the mongo-go-driver also provide 2 connection string options for specifying the client certificate and client key files separately. Using new option names will provide full compatibility. |
| Comments |
| Comment by Divjot Arora (Inactive) [ 16/Jan/20 ] |
|
fungchai.lim@ncs.com.sg The commit will be part of the 1.3.0 release, which is planned for later this month. |
| Comment by Fung-Chai LIM [ 16/Jan/20 ] |
|
@Divjot.Arora, |
| Comment by Githook User [ 14/Jan/20 ] |
|
Author: {'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}Message: |
| Comment by Divjot Arora (Inactive) [ 02/Jan/20 ] |
|
The investigation stage of this ticket is largely done, so I'm going to put this back into Scheduled and pick this up after I'm done with my work on |
| Comment by Divjot Arora (Inactive) [ 20/Dec/19 ] |
|
Just wanted to give you an update on this. I've looked at other drivers and it seems like some are supporting these extra options. After the holidays, I plan on adding the options you proposed. This will allow users to either specify tlsCertificateKeyFile with both files concatenated or to specify both tlsCertificateFile and tlsKeyFile. It will be an error if the existing option is specified with any of the new options.
– Divjot |
| Comment by Divjot Arora (Inactive) [ 18/Dec/19 ] |
|
I agree these extra options could be useful for users. I am currently investigating the best way to add them and define the interactions between these options and the existing tlsCertificateKeyFile option, as users could specify any combination of the three. I will add another comment on this ticket when I've figured this out and let you know how we plan on progressing
– Divjot |
| Comment by Fung-Chai LIM [ 18/Dec/19 ] |
|
Hi, want to add some explanation in case you don't understand the description. The DevOps team may provide the client cert and key in 2 separate files. We cannot use tlsCertificateKeyFile=cert.pem&tlsCertificateKeyFile=key.pem or tlsCerticateKeyFile=client.pem,key.pem in the connection string. The comments in clientoptions.go say the files should be concatenated into one file. The DevOps team objects to putting the cert and key into one file as the key is supposed to be private. We mentioned the tlsCerticateKeyFilePassword but they don't want another configuration parameter. So, now we are not putting TLS parameters in the connection string. Instead, we are calling the LoadX509KeyPair in our code. It would be nice if the mongo-go-driver does this for us. It would be nice if the driver can accept tlsCerticateKeyFile=client.pem,key.pem or provide 2 new tlsCertificateFile and tlsKeyFile options. |