Skip to content

Add support for authentication via mTLS (authentication with TLS certificates) #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 19 commits into
base: async-await
Choose a base branch
from
Draft

Add support for authentication via mTLS (authentication with TLS certificates) #227

wants to merge 19 commits into from

Conversation

azat
Copy link
Contributor

@azat azat commented Apr 19, 2025

Note: blocked by #226 hence draft for now

mTLS (Mutual TLS, or mTLS for short, is a method for mutual authentication) allows you to authenticate on the server with client certificate.

Now clickhouse-rs supports it, for this you need to pass the following arguments for connection url:

  • ca_certificate
  • client_certificate
  • client_private_key

Some other things:

  • Support specifying TLS certificate via ca_certificate parameter in URL
  • Add missing TLS fields for Debug trait
  • Update section about TLS features in README
  • Extend CI coverage for TLS

azat added 19 commits April 15, 2025 22:53
@azat
Ensure that Hello packet correctly received
dceebe1
@azat
Properly handle terminated connection by the server
0e67ce2 
Previously ClickhouseTransport::poll_next did not tries to process
packets if the server closed the connection, however there can be some
packet (likely Exception), that we need to pass to user.

Also this will avoid panic in case of missing Hello packet, i.e. in
case of credentials mismatch.
@azat
Fix test_size_of expectation (the size should be 64 with alignment)
6d42f41
@azat
ci: set CLICKHOUSE_SKIP_USER_SETUP to avoid restricting default user
af660a8
@azat
Merge branch 'fix-panic-on-hello' into next
437c4af 
* fix-panic-on-hello:
  ci: set CLICKHOUSE_SKIP_USER_SETUP to avoid restricting default user
  Fix test_size_of expectation (the size should be 64 with alignment)
  Properly handle terminated connection by the server
  Ensure that Hello packet correctly received
@azat
ci: simplify TLS jobs
829f595
@azat
ci: disable fail-fast for matrix (plus it is how it works before)
f27a36d
@azat
ci: temporary enable CI for next branch
f7395a3
@azat
Fix typo (s/DER/PEM/)
525644d
@azat
Add ability to specify certificate
4a19933
@azat
Fix CaUsedAsEndEntity error
0f913fb
@azat
ci: generate TLS certificates on the host for client
b394d6f
@azat
Rename certificate to ca_certificate
32051ad
@azat
Implement mTLS for rustls
0ed5046
@azat
ci: add mTLS
0dfa42b
@azat
Add mTLS support for native-tls
7272327
@azat
Refactor mTLS support
6059960
@azat
Update README about TLS features
1463a3b
@azat
Revert "ci: temporary enable CI for next branch"
32ca7b6 
This reverts commit f7395a3.
This was referenced Apr 19, 2025
Merged
Closed
@madchicken
Copy link

It would be very good to see this PR merged but I don't see any reaction from the author. I don;t see any commit/activity on github from him in the last year, so I doubt we will get some news here. Maybe we should fork this project @azat ?

@azat
Copy link
Contributor Author

azat commented May 7, 2025

Let's the maintainer more time, it is really hard to support open source projects after some time when you have full time job...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@azat @madchicken