Consider allowing drivers to use encrypted connections

[danielmewes]

Similar to #3151 for intra-cluster communication, I believe there are a few things we can do to make working with encrypted client connections much easier.

Here's my proposal:
Assume the user has set up a tool such as stunnel (https://www.stunnel.org/index.html) on the server to allow incoming SSL connections to RethinkDB's client port.

We could extend the official drivers to support connecting to the server through SSL. From the user's perspective, this would take two things:

• a flag to r.connect() to enable SSL
• a way to supply a certificate to validate that the client is connecting to the right server (the path to the certificate file could be provided through the same flag that enables SSL actually)

In combination with the auth keys we already have and a firewall that restricts incoming connections to specific IP addresses, this would provide some reasonable level of security for running RethinkDB on unprotected networks.

It's not quite sufficient for just exposing the encrypted client port to the Internet though, since we might expose security vulnerabilities even before the auth key is validated (plus there's a high potential for DoS and brute force attacks).
To make that work, we should also investigate options to use a client-side certificate. I'm not very familiar with how that works with SSL, but it would be great if one could just configure stunnel on the server to check for a certain client certificate, and have another option in our drivers to supply one.

[mlucy]

Another alternative would be to give people a script that sets up an SSH tunnel for them. That's less nifty, but a lot easier.

[wojons]

@mlucy I agree it would be a lot less work to provide users with a python script that sets up an ssh tunnel or something basic for them to use and if they want something more advance then they should set that up on there own.

@coffeemug if you just want some basic python or something scripts that can create ssh tunnels for usrs to connect to there rethinkdb cluster then I can make some easy scripts for something like that.

[mkleehammer]

+1 on built-in encryption option

[joaojeronimo]

+1 for built-in encryption. So far I'm using the following snippet on my node.js clients:

var net = require('net');
var tls = require('tls');
net.createServer(function (socket) {
  socket.pipe(tls.connect(38015)).pipe(socket);
}).listen(28015);

Then the client connects to tcp://localhost:28015, which in turn proxies it to the secure TLS connection on 38015.

An SSH tunnel is something else to manage, monitor and make sure its running.

Also, what's keeping you guys from making rethinkdb serve it's API over TLS connections ?

[danielmewes]

@joaojeronimo sorry for the late response:

Also, what's keeping you guys from making rethinkdb serve it's API over TLS connections ?

We'd actually really like to do that. There are different options for this, and we discussed some of them in #3151 (comment) . While that thread is about intra-cluster connections, we'll probably provide the same thing for client connections as well.

[joaojeronimo]

That would be great. Do you guys have this scheduled ?

[danielmewes]

@joaojeronimo Not yet. We'll rely on external proxies (like stunnel) for now, and try to make its setup as easy as possible by providing adequate documentation and examples.

[danielmewes]

Good news: Server-side TLS integration is coming with RethinkDB 2.3 thanks to this pull request #5381 by @jlhawn

[jlhawn]

Cross-posting this for more exposure: I made a guide to setting up a RethinkDB cluster with native TLS which uses an experimental build from that aforementioned pull request.