[GODRIVER-1435] Please add tlsCertificateFile and tlsKeyFile connection string options. Created: 11/Dec/19  Updated: 28/Oct/23  Resolved: 14/Jan/20

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.3.0

Type: Improvement Priority: Major - P3
Reporter: Fung-Chai LIM Assignee: Divjot Arora (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible

 Description   

Currently, there is only the tlsCertificateKeyFile option (https://docs.mongodb.com/manual/reference/connection-string/) but the file must contain both certificate and key (mongo/options/clientoptions.go).

The crypto/tls package provides the LoadX509KeyPair function that "reads and parses a public/private key pair from a pair of files."  In light of this, it should follow that the mongo-go-driver also provide 2 connection string options for specifying the client certificate and client key files separately.  Using new option names will provide full compatibility.



 Comments   
Comment by Divjot Arora (Inactive) [ 16/Jan/20 ]

fungchai.lim@ncs.com.sg The commit will be part of the 1.3.0 release, which is planned for later this month.

Comment by Fung-Chai LIM [ 16/Jan/20 ]

@Divjot.Arora,
Thank you for this commit. It will be very useful for my project. When will this commit be tagged? Thanks.

Comment by Githook User [ 14/Jan/20 ]

Author:

{'name': 'Divjot Arora', 'email': 'divjot.arora@10gen.com', 'username': 'divjotarora'}

Message: GODRIVER-1435 Add tlsCertificateFile and tlsPrivateKeyFile URI options (#271)
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/c0d964c4f1af0c5b631c232664788e4b327ab5a7

Comment by Divjot Arora (Inactive) [ 02/Jan/20 ]

The investigation stage of this ticket is largely done, so I'm going to put this back into Scheduled and pick this up after I'm done with my work on GODRIVER-1438.

Comment by Divjot Arora (Inactive) [ 20/Dec/19 ]

Hi fungchai.lim@ncs.com.sg,

Just wanted to give you an update on this. I've looked at other drivers and it seems like some are supporting these extra options. After the holidays, I plan on adding the options you proposed. This will allow users to either specify tlsCertificateKeyFile with both files concatenated or to specify both tlsCertificateFile and tlsKeyFile. It will be an error  if the existing option is specified with any of the new options.

 

– Divjot

Comment by Divjot Arora (Inactive) [ 18/Dec/19 ]

Hi fungchai.lim@ncs.com.sg,

I agree these extra options could be useful for users. I am currently investigating the best way to add them and define the interactions between these options and the existing tlsCertificateKeyFile option, as users could specify any combination of the three. I will add another comment on this ticket when I've figured this out and let you know how we plan on progressing

 

– Divjot

Comment by Fung-Chai LIM [ 18/Dec/19 ]

Hi, want to add some explanation in case you don't understand the description.

The DevOps team may provide the client cert and key in 2 separate files.  We cannot use tlsCertificateKeyFile=cert.pem&tlsCertificateKeyFile=key.pem or tlsCerticateKeyFile=client.pem,key.pem in the connection string.  The comments in clientoptions.go say the files should be concatenated into one file.

The DevOps team objects to putting the cert and key into one file as the key is supposed to be private.  We mentioned the tlsCerticateKeyFilePassword but they don't want another configuration parameter.

So, now we are not putting TLS parameters in the connection string.  Instead, we are calling the LoadX509KeyPair in our code.  It would be nice if the mongo-go-driver does this for us.  It would be nice if the driver can accept tlsCerticateKeyFile=client.pem,key.pem or provide 2 new tlsCertificateFile and tlsKeyFile options.

Generated at Thu Feb 08 08:36:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.