From 31500b8145935a8bb917c6610ddf10a651d1bb38 Mon Sep 17 00:00:00 2001 From: Florent Biville Date: Mon, 21 Mar 2022 14:50:48 +0100 Subject: [PATCH] Expose the whole tls.Config setting --- neo4j/config.go | 13 +++++++++++++ neo4j/driver_with_context.go | 1 + neo4j/internal/connector/connector.go | 25 ++++++++++++++++++------- 3 files changed, 32 insertions(+), 7 deletions(-) diff --git a/neo4j/config.go b/neo4j/config.go index 8f557a69..979f81fc 100644 --- a/neo4j/config.go +++ b/neo4j/config.go @@ -20,6 +20,7 @@ package neo4j import ( + "crypto/tls" "crypto/x509" "math" "net/url" @@ -36,7 +37,19 @@ type Config struct { // // The trusted certificates are used to validate connections for URI schemes 'bolt+s' // and 'neo4j+s'. + // Deprecated: RootCAs will be removed in 6.0. Please rely on TlsConfig's RootCAs attribute instead. RootCAs *x509.CertPool + // TlsConfig defines the TLS configuration of the driver. + // + // The configuration is only used for URI schemes 'bolt+s', 'bolt+ssc', + // 'neo4j+s' and 'neo4j+ssc'. + // + // The InsecureSkipVerify attribute of TlsConfig is always derived from the initial URI scheme. + // The ServerName attribute of TlsConfig is always derived from the initial URI host. + + // The RootCAs attribute of this TlsConfig has higher precedence than the + // attribute set on the enclosing Config. + TlsConfig *tls.Config // Logging target the driver will send its log outputs // diff --git a/neo4j/driver_with_context.go b/neo4j/driver_with_context.go index c6b1d14e..bfff3d06 100644 --- a/neo4j/driver_with_context.go +++ b/neo4j/driver_with_context.go @@ -160,6 +160,7 @@ func NewDriverWithContext(target string, auth AuthToken, configurers ...func(*Co d.connector.SocketKeepAlive = d.config.SocketKeepalive d.connector.UserAgent = d.config.UserAgent d.connector.RootCAs = d.config.RootCAs + d.connector.TlsConfig = d.config.TlsConfig d.connector.Log = d.log d.connector.Auth = auth.tokens d.connector.RoutingContext = routingContext diff --git a/neo4j/internal/connector/connector.go b/neo4j/internal/connector/connector.go index 394e9631..b453c8d8 100644 --- a/neo4j/internal/connector/connector.go +++ b/neo4j/internal/connector/connector.go @@ -35,8 +35,9 @@ import ( ) type Connector struct { - SkipEncryption bool - SkipVerify bool + SkipEncryption bool + SkipVerify bool + // Deprecated: RootCAs will be removed in 6.0. Configure TlsConfig directly instead. RootCAs *x509.CertPool DialTimeout time.Duration SocketKeepAlive bool @@ -45,6 +46,7 @@ type Connector struct { UserAgent string RoutingContext map[string]string Network string + TlsConfig *tls.Config } func (c Connector) Connect(ctx context.Context, address string, boltLogger log.BoltLogger) (db.Connection, error) { @@ -69,19 +71,28 @@ func (c Connector) Connect(ctx context.Context, address string, boltLogger log.B conn.Close() return nil, err } - config := tls.Config{InsecureSkipVerify: c.SkipVerify, RootCAs: c.RootCAs, ServerName: serverName} - tlsconn := tls.Client(conn, &config) - err = tlsconn.HandshakeContext(ctx) + tlsConn := tls.Client(conn, c.tlsConfig(serverName)) + err = tlsConn.HandshakeContext(ctx) if err != nil { if err == io.EOF { // Give a bit nicer error message - err = errors.New("Remote end closed the connection, check that TLS is enabled on the server") + err = errors.New("remote end closed the connection, check that TLS is enabled on the server") } conn.Close() return nil, &TlsError{inner: err} } // Perform Bolt handshake - return bolt.Connect(ctx, address, tlsconn, c.Auth, c.UserAgent, c.RoutingContext, c.Log, boltLogger) + return bolt.Connect(ctx, address, tlsConn, c.Auth, c.UserAgent, c.RoutingContext, c.Log, boltLogger) +} + +func (c Connector) tlsConfig(serverName string) *tls.Config { + if c.TlsConfig == nil { + return &tls.Config{InsecureSkipVerify: c.SkipVerify, RootCAs: c.RootCAs, ServerName: serverName} + } + config := c.TlsConfig + config.InsecureSkipVerify = c.SkipVerify + config.ServerName = serverName + return config } // TlsError encapsulates all errors related to TLS connection creation