Add TLS certificate validation for DB connection

[condemil]

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

As discussed in the chat it is not possible to verify certificate for TLS database connection at that moment. It would be nice to add it.

Describe the solution you'd like
Add a way (probably though config yaml / environment variable) to specify path to PEM certificate file to validate TLS database connection.

Describe alternatives you've considered
For not the only possible to connect though TLS to database without certificate validation, it is workable, but not that secure.

Additional context
How it can be achieved with mysql driver is mentioned here: go-sql-driver/mysql#908

[aeneasr]

Ok so the idea would be to add this somewhere around herre. One difficulty is that the mysql driver doesn't handle this automatically so we would have to add a hardcoded check here against mysql to make this work which kinda sucks (the postgresdriver supports setting the CA via a flag). Any ideas how to solve this in a better way?

[condemil]

The better way is to add another DNS argument (to be consistent with postgres), get it from query as you get other options in here and add it to SQLConnection struct. Later when we do mysql connection we can check that path to tls certificate is specified in SQLConnection.

[aeneasr]

Ah my description wasn't very clear, that's definitely the idea here, have something like ?tlsCAPath or whatever (we can mimic what postgres is doing).

[condemil]

?tlsCAPath or some other parameter on DSN sound better than my initial idea with config / environment.

[condemil]

The only other idea I have how to make it better without hardcoded check here against mysql is to file another feature request on mysql driver to support it tough DNS the way postgres driver does it.

[aeneasr]

The only other idea I have how to make it better without hardcoded check here against mysql is to file another feature request on mysql driver to support it tough DNS the way postgres driver does it.

I think that would be the most reasonable path as this should really be part of the driver spec IMO and it would benefit the community using the upstream dependency (mysql driver) the most.

[condemil]

Created issue go-sql-driver/mysql#926

[aeneasr]

Awesome!

[aeneasr]

I will close this issue as it really is something which needs to be done upstream. Looks like there is some progress on the issue, but it's not yet merged. Once it's merged, it will be in the next update for ORY Hydra!