Details
-
Task
-
Resolution: Won't Fix
-
Major
-
None
-
None
-
None
-
1
Description
Normally user programs passes tls information at the start and when changed they restart.
If Services/Server programs can't do that need to ability to change those dynamically.
If gocbcore needs to used by query service. It open one agent for each bucket
Then all different queries on that bucket reuses same agent.
Now ns_server changes certificate query service will pass the certificates through TLSRootCAProvider. This can be nil if disabled, or actual certificate enabled.
At present config.UseTLS = true only uses certificate so we must set this always true, change TLSRootCAProvider appropriately.
https://github.com/couchbase/gocbcore/blob/master/dyntlsconfig.go#L30
Suppose to ignore tls connection when certificate is nil.
Some reason when config.UseTLS = true, TLSRootCAProvider returns nil connection fails.
If set false it works.
Repro:
1) Create default bucket
2) Change host/user/password in the following program
package main |
|
import ( |
"crypto/x509" |
"time" |
|
"github.com/couchbase/gocbcore/v9" |
)
|
|
func main() {
|
|
config := gocbcore.AgentConfig{}
|
config.UseTLS = true |
config.TLSRootCAProvider = func() *x509.CertPool {
|
return nil |
}
|
|
err := config.FromConnStr("couchbase://127.0.0.1") |
if err != nil { |
panic(err)
|
}
|
|
config.Auth = &gocbcore.PasswordAuthProvider{
|
Username: "Administrator", |
Password: "password", |
}
|
config.BucketName = "default" |
|
agent, err := gocbcore.CreateAgent(&config)
|
if err != nil { |
panic(err)
|
}
|
|
// Warm up by calling wait until ready |
warmWaitCh := make(chan struct{}, 1) |
_, err = agent.WaitUntilReady(
|
time.Now().Add(5*time.Second), |
gocbcore.WaitUntilReadyOptions{},
|
func(result *gocbcore.WaitUntilReadyResult, err error) {
|
if err != nil { |
panic(err)
|
}
|
warmWaitCh <- struct{}{}
|
})
|
if err != nil { |
panic(err)
|
}
|
<-warmWaitCh
|
}
|