Expose the whole tls.Config setting

neo4j · Mar 22, 2022 · 31500b8 · 31500b8
1 parent 876f708
commit 31500b8
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 7 deletions.
diff --git a/neo4j/config.go b/neo4j/config.go
@@ -20,6 +20,7 @@
 package neo4j
 
 import (
+ "crypto/tls"
  "crypto/x509"
  "math"
  "net/url"
@@ -36,7 +37,19 @@ type Config struct {
  //
  // The trusted certificates are used to validate connections for URI schemes 'bolt+s'
  // and 'neo4j+s'.
+ // Deprecated: RootCAs will be removed in 6.0. Please rely on TlsConfig's RootCAs attribute instead.
  RootCAs *x509.CertPool
+ // TlsConfig defines the TLS configuration of the driver.
+ //
+ // The configuration is only used for URI schemes 'bolt+s', 'bolt+ssc',
+ // 'neo4j+s' and 'neo4j+ssc'.
+ //
+ // The InsecureSkipVerify attribute of TlsConfig is always derived from the initial URI scheme.
+ // The ServerName attribute of TlsConfig is always derived from the initial URI host.
+
+ // The RootCAs attribute of this TlsConfig has higher precedence than the
+ // attribute set on the enclosing Config.
+ TlsConfig *tls.Config
 
  // Logging target the driver will send its log outputs
  //

diff --git a/neo4j/driver_with_context.go b/neo4j/driver_with_context.go
@@ -160,6 +160,7 @@ func NewDriverWithContext(target string, auth AuthToken, configurers ...func(*Co
  d.connector.SocketKeepAlive = d.config.SocketKeepalive
  d.connector.UserAgent = d.config.UserAgent
  d.connector.RootCAs = d.config.RootCAs
+ d.connector.TlsConfig = d.config.TlsConfig
  d.connector.Log = d.log
  d.connector.Auth = auth.tokens
  d.connector.RoutingContext = routingContext

diff --git a/neo4j/internal/connector/connector.go b/neo4j/internal/connector/connector.go
@@ -35,8 +35,9 @@ import (
 )
 
 type Connector struct {
- SkipEncryption bool
- SkipVerify bool
+ SkipEncryption bool
+ SkipVerify bool
+ // Deprecated: RootCAs will be removed in 6.0. Configure TlsConfig directly instead.
  RootCAs *x509.CertPool
  DialTimeout time.Duration
  SocketKeepAlive bool
@@ -45,6 +46,7 @@ type Connector struct {
  UserAgent string
  RoutingContext map[string]string
  Network string
+ TlsConfig *tls.Config
 }
 
 func (c Connector) Connect(ctx context.Context, address string, boltLogger log.BoltLogger) (db.Connection, error) {
@@ -69,19 +71,28 @@ func (c Connector) Connect(ctx context.Context, address string, boltLogger log.B
  conn.Close()
  return nil, err
  }
- config := tls.Config{InsecureSkipVerify: c.SkipVerify, RootCAs: c.RootCAs, ServerName: serverName}
- tlsconn := tls.Client(conn, &config)
- err = tlsconn.HandshakeContext(ctx)
+ tlsConn := tls.Client(conn, c.tlsConfig(serverName))
+ err = tlsConn.HandshakeContext(ctx)
  if err != nil {
  if err == io.EOF {
  // Give a bit nicer error message
- err = errors.New("Remote end closed the connection, check that TLS is enabled on the server")
+ err = errors.New("remote end closed the connection, check that TLS is enabled on the server")
  }
  conn.Close()
  return nil, &TlsError{inner: err}
  }
  // Perform Bolt handshake
- return bolt.Connect(ctx, address, tlsconn, c.Auth, c.UserAgent, c.RoutingContext, c.Log, boltLogger)
+ return bolt.Connect(ctx, address, tlsConn, c.Auth, c.UserAgent, c.RoutingContext, c.Log, boltLogger)
+}
+
+func (c Connector) tlsConfig(serverName string) *tls.Config {
+ if c.TlsConfig == nil {
+ return &tls.Config{InsecureSkipVerify: c.SkipVerify, RootCAs: c.RootCAs, ServerName: serverName}
+ }
+ config := c.TlsConfig
+ config.InsecureSkipVerify = c.SkipVerify
+ config.ServerName = serverName
+ return config
 }
 
 // TlsError encapsulates all errors related to TLS connection creation