Merge pull request #407 from uhoh-itsmaciek/do-not-require-client-certificate

Do not require a client certificate in SslOptions

AUTHORS

@@ -45,4 +45,5 @@ Dan Kinder <dkinder.is.me@gmail.com>
 Oliver Beattie <oliver@obeattie.com>
 Justin Corpron <justin@retailnext.com>
 Miles Delahunty <miles.delahunty@gmail.com>
-Zach Badgett <zach.badgett@gmail.com>
+Zach Badgett <zach.badgett@gmail.com>
+Maciek Sakrejda <maciek@heroku.com>

conn.go

@@ -55,6 +55,9 @@ func (p PasswordAuthenticator) Success(data []byte) error {
 }
 
 type SslOptions struct {
+	// CertPath and KeyPath are optional depending on server
+	// config, but both fields must be omitted to avoid using a
+	// client certificate
 	CertPath string
 	KeyPath  string
 	CaPath   string //optional depending on server config

conn_test.go

@@ -58,7 +58,7 @@ func TestSSLSimple(t *testing.T) {
 	srv := NewSSLTestServer(t, defaultProto)
 	defer srv.Stop()
 
-	db, err := createTestSslCluster(srv.Address, defaultProto).CreateSession()
+	db, err := createTestSslCluster(srv.Address, defaultProto, true).CreateSession()
 	if err != nil {
 		t.Fatalf("0x%x: NewCluster: %v", defaultProto, err)
 	}
@@ -68,14 +68,31 @@ func TestSSLSimple(t *testing.T) {
 	}
 }
 
-func createTestSslCluster(hosts string, proto uint8) *ClusterConfig {
+func TestSSLSimpleNoClientCert(t *testing.T) {
+	srv := NewSSLTestServer(t, defaultProto)
+	defer srv.Stop()
+
+	db, err := createTestSslCluster(srv.Address, defaultProto, false).CreateSession()
+	if err != nil {
+		t.Fatalf("0x%x: NewCluster: %v", defaultProto, err)
+	}
+
+	if err := db.Query("void").Exec(); err != nil {
+		t.Fatalf("0x%x: %v", defaultProto, err)
+	}
+}
+
+func createTestSslCluster(hosts string, proto uint8, useClientCert bool) *ClusterConfig {
 	cluster := NewCluster(hosts)
-	cluster.SslOpts = &SslOptions{
-		CertPath:               "testdata/pki/gocql.crt",
-		KeyPath:                "testdata/pki/gocql.key",
+	sslOpts := &SslOptions{
 		CaPath:                 "testdata/pki/ca.crt",
 		EnableHostVerification: false,
 	}
+	if useClientCert {
+		sslOpts.CertPath = "testdata/pki/gocql.crt"
+		sslOpts.KeyPath = "testdata/pki/gocql.key"
+	}
+	cluster.SslOpts = sslOpts
 	cluster.ProtoVersion = int(proto)
 	return cluster
 }
@@ -447,7 +464,7 @@ func TestPolicyConnPoolSSL(t *testing.T) {
 	srv := NewSSLTestServer(t, defaultProto)
 	defer srv.Stop()
 
-	cluster := createTestSslCluster(srv.Address, defaultProto)
+	cluster := createTestSslCluster(srv.Address, defaultProto, true)
 	cluster.ConnPoolType = NewRoundRobinConnPool
 
 	db, err := cluster.CreateSession()

connectionpool.go

@@ -153,13 +153,17 @@ func setupTLSConfig(sslOpts *SslOptions) (*tls.Config, error) {
 		}
 	}
 
-	mycert, err := tls.LoadX509KeyPair(sslOpts.CertPath, sslOpts.KeyPath)
-	if err != nil {
-		return nil, fmt.Errorf("connectionpool: unable to load X509 key pair: %v", err)
+	mycerts := make([]tls.Certificate, 0)
+	if sslOpts.CertPath != "" || sslOpts.KeyPath != "" {
+		mycert, err := tls.LoadX509KeyPair(sslOpts.CertPath, sslOpts.KeyPath)
+		if err != nil {
+			return nil, fmt.Errorf("connectionpool: unable to load X509 key pair: %v", err)
+		}
+		mycerts = append(mycerts, mycert)
 	}
 
 	config := &tls.Config{
-		Certificates: []tls.Certificate{mycert},
+		Certificates: mycerts,
 		RootCAs:      certPool,
 	}