Connect to rethinkdb over SSL with self-signed certificate

[matteosuppo]

Over at compose they provide rethinkdb servers with self-signed certificates.

You can connect to them in this way: https://www.compose.io/articles/rethinkdb-and-ssl-think-secure/

basically by reading a certificate

    roots := x509.NewCertPool()
    cert, err := ioutil.ReadFile("./cacert")
    roots.AppendCertsFromPEM(cert)

and connecting with the TLS

    session, err := r.Connect(r.ConnectOpts{
        Address:  "aws-eu-west-1-portal.1.dblayer.com:10605",
        Database: "test",
        AuthKey:  "QBXORIDHnnjkvUyhexl1nKcnAxbIqPBcrHeqkWglXc",
        TLSConfig: &tls.Config{
            RootCAs: roots,
        },
    })

I'm going to try to make it work. Are you interested in a Pull Request?

[aeneasr]

Yes, please use the JWK Store for storing the RootCA. Setting custom RootCAs is also quite dangerous and we should anticipate problems there. Using the JWK Store only trusted clients could update those CAs, so that's a first good step.

[aeneasr]

And I want to keep the number of configuration and env options low :)

[aeneasr]

If you need help with the JWK store let me know

[matteosuppo]

Aren't JWK stored in rethinkdb?

[aeneasr]

Haha wow, I didn't think that one through. Spot on.

[aeneasr]

Ok let's make it work then like the HTTP TLS certificates (CLI option and env var)

[matteosuppo]

I'm working on it

[aeneasr]

that's actually better because compromise of a priviledged client would not allow for the rootca to be changed or read