[GODRIVER-747] Allow TLSConfig as a client option Created: 04/Jan/19 Updated: 28/Oct/23 Resolved: 19/Feb/19 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | API, Options & Configuration |
| Affects Version/s: | None |
| Fix Version/s: | 1.0.0-rc1 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Divjot Arora (Inactive) | Assignee: | Kristofer Brandow (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
Use a TLSConfig in the SetSSL() function in clientoptions.go instead of SSLOpt. This requires changing WithConnString() and adding WithTLSConfig() in topology_options.go. |
| Comments |
| Comment by Githook User [ 19/Feb/19 ] |
|
Author: {'name': 'Kris Brandow', 'email': 'kris@mongodb.com', 'username': 'skriptble'}Message: Update options and remove exposed x in mongo
Change-Id: I5e057598d5e425f6b9837af2a1d08a122b7f00fc |
| Comment by Kristofer Brandow (Inactive) [ 11/Feb/19 ] |
|
Code Review: https://review.gerrithub.io/c/mongodb/mongo-go-driver/+/443815. |
| Comment by Bernie Hackett [ 01/Feb/19 ] |
|
> Do any of our other drivers provide this functionality? OpenSSL handles this, so drivers using it can support it (assuming that feature of OpenSSL is exposed in the language). For example: https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_cert_chain implemented using https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_default_passwd_cb.html |
| Comment by Craig Wilson [ 31/Jan/19 ] |
|
I don't think we'd vendor it as a dependency. It would just be something users could use to make doing this type of thing simpler. |
| Comment by Jeffrey Yemin [ 31/Jan/19 ] |
|
I'm not clear on why any TCP-wrapping client library should include this functionality directly. Isn't it the same thing you'd need in an HTTP client, SQL client, etc? Should/does every client library out there have its implementation of client cert decryption embedded within it? Do any of our other drivers provide this functionality? CC behackett |
| Comment by Divjot Arora (Inactive) [ 31/Jan/19 ] |
|
The point of contention on this ticket is whether or not we actually need an internal TLS config wrapper. If we remove the internal wrapper, we're removing the support to decrypt client certificates for users and requiring them to directly give us a tls.Config instance. TODO: talk to craiggwilson and david.golden and reach a consensus on whether or not we want to keep a tls.Config wrapper (and where it belongs if we do) and what we want to do about decrypting client certs (current options are to not do it or to release an open source lib which we vendor as a dependency). |