Use system installed certificates by default and accept neo4j+ssc connections #180
Conversation
Accept +ssc connections Allow additional certificates to be passed in the config
There was a problem hiding this comment.
Hey, thanks for adding this. I left some comments and I think we can simplify some stuff and don't need to introduce new abstractions already. Furthermore, in order to get the PR builds green, you need to update the lock files. This should get the test builds green, what's left is to run cargo fmt and go through the clippy warnings.
|
Fixed all comments, and tested locally with both scenarios: CA certificate passed to the config and CA certificate installed locally (and trusted) |
There was a problem hiding this comment.
Thanks, looks good now. We can always add some abstraction over different certificate providers if there is a need later. With providing a path, it would be up to the user to use whatever provider they have to generate a file. I think that should actually work for a lot of use-cases, though maybe providing something impl BufRef eventually would allow for in-memory certs.
At any rate, I think you still need to run cargo xtask min in addition to the msrv task.
|
Thanks for sticking with the review! |
I do have some plans to add tests over an encrypted connection in the future, this PR will certainly help with that :) |
…nections (#180) * Use system installed certificates by default Accept +ssc connections Allow additional certificates to be passed in the config * Remove .idea files * Sort dependencies * Address PR comments * Nit: add CR add the end of the file * Nit: use cloned instead of map * Remove useless comment * Update lock file * update files with cargo fmt * Remove wrong warning * update cargo.lock.min * formatting
Trying to fix #85
This PR allows to configure the connection manager with an additional client CA certificate.
I am honestly not very happy with the current implementation, it seems the process of configuring the connection should be refactored a bit, but I am new to this project, so take this as an attempt to solve this issue.
It also replaces webpki-roots with rustls-native-certs, in order to accept certificates installed (and trusted) on the local machine. This allows neo4j+ssc connections when the host system is configured in the proper way.