russcam
commented
3 years ago Hi @xd009642, what other TLS settings need to be configured?
Open xd009642 opened 3 years ago
russcam
commented
3 years ago Hi @xd009642, what other TLS settings need to be configured?
xd009642
commented
3 years ago So any settings in the builder https://docs.rs/native-tls/0.2.7/native_tls/struct.TlsConnectorBuilder.html disable_built_in_roots is one. I also have another client with private cloud who don't like adding certificates to images so ask us to set danger_accept_invalid_certs so I'll need that if we deploy our ES based solution there.
xd009642
commented
3 years ago I'd also be willing to work on a PR for this, just want to make sure the feature will be accepted in some form or another
russcam
commented
3 years ago It looks like disable_built_in_roots might be the only one missing that might be useful to also have:
.auth()add_root_certificate() and danger_accept_invalid_certs() and danger_accept_invalid_hostnames() are handled with cert_validation()xd009642
commented
3 years ago Ah brilliant, I missed those in the docs. I'll have a look at a PR for disable_built_in_roots, I imagine it would be a case of adding a field to the CertificationValidation enum as that seems to handle a few things :thinking:
Is your feature request related to a problem? Please describe.
I need to configure more TLS settings to meet a customers security policy for a private deployment. I use rusoto with the same customer and they expose https://docs.rs/native-tls/0.2.7/native_tls/struct.TlsConnector.html in their public API when native-tls is used and I'm able to configure the connection as required when creating the client. Ideally, the Elasticsearch bindings will function the same way to enable me to reuse the same connection building code I've already implemented.