[GODRIVER-747] Allow TLSConfig as a client option Created: 04/Jan/19  Updated: 28/Oct/23  Resolved: 19/Feb/19

Status: Closed
Project: Go Driver
Component/s: API, Options & Configuration
Affects Version/s: None
Fix Version/s: 1.0.0-rc1

Type: Improvement Priority: Major - P3
Reporter: Divjot Arora (Inactive) Assignee: Kristofer Brandow (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Use a TLSConfig in the SetSSL() function in clientoptions.go instead of SSLOpt. This requires changing WithConnString() and adding WithTLSConfig() in topology_options.go.



 Comments   
Comment by Githook User [ 19/Feb/19 ]

Author:

{'name': 'Kris Brandow', 'email': 'kris@mongodb.com', 'username': 'skriptble'}

Message: Update options and remove exposed x in mongo

GODRIVER-793
GODRIVER-747
GODRIVER-727

Change-Id: I5e057598d5e425f6b9837af2a1d08a122b7f00fc
Branch: master
https://github.com/mongodb/mongo-go-driver/commit/32946b1f8b9412a6a94e68ff789575327bb257cf

Comment by Kristofer Brandow (Inactive) [ 11/Feb/19 ]

Code Review: https://review.gerrithub.io/c/mongodb/mongo-go-driver/+/443815.

Comment by Bernie Hackett [ 01/Feb/19 ]

> Do any of our other drivers provide this functionality?

OpenSSL handles this, so drivers using it can support it (assuming that feature of OpenSSL is exposed in the language). For example: https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_cert_chain implemented using https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_set_default_passwd_cb.html

Comment by Craig Wilson [ 31/Jan/19 ]

I don't think we'd vendor it as a dependency. It would just be something users could use to make doing this type of thing simpler.

Comment by Jeffrey Yemin [ 31/Jan/19 ]

I'm not clear on why any TCP-wrapping client library should include this functionality directly. Isn't it the same thing you'd need in an HTTP client, SQL client, etc? Should/does every client library out there have its implementation of client cert decryption embedded within it? Do any of our other drivers provide this functionality?

CC behackett

Comment by Divjot Arora (Inactive) [ 31/Jan/19 ]

The point of contention on this ticket is whether or not we actually need an internal TLS config wrapper. If we remove the internal wrapper, we're removing the support to decrypt client certificates for users and requiring them to directly give us a tls.Config instance.

TODO: talk to craiggwilson and david.golden and reach a consensus on whether or not we want to keep a tls.Config wrapper (and where it belongs if we do) and what we want to do about decrypting client certs (current options are to not do it or to release an open source lib which we vendor as a dependency).

Generated at Thu Feb 08 08:34:52 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.