diff --git a/AUTHORS b/AUTHORS index 54caf0c4e..09e25914f 100644 --- a/AUTHORS +++ b/AUTHORS @@ -47,3 +47,4 @@ Justin Corpron Miles Delahunty Zach Badgett Maciek Sakrejda +Jeff Mitchell diff --git a/conn.go b/conn.go index cf12c17fa..06f3f82e4 100644 --- a/conn.go +++ b/conn.go @@ -55,6 +55,8 @@ func (p PasswordAuthenticator) Success(data []byte) error { } type SslOptions struct { + tls.Config + // CertPath and KeyPath are optional depending on server // config, but both fields must be omitted to avoid using a // client certificate diff --git a/connectionpool.go b/connectionpool.go index 128dd8919..9f9904be1 100644 --- a/connectionpool.go +++ b/connectionpool.go @@ -140,36 +140,33 @@ type SimplePool struct { } func setupTLSConfig(sslOpts *SslOptions) (*tls.Config, error) { - certPool := x509.NewCertPool() // ca cert is optional if sslOpts.CaPath != "" { + if sslOpts.RootCAs == nil { + sslOpts.RootCAs = x509.NewCertPool() + } + pem, err := ioutil.ReadFile(sslOpts.CaPath) if err != nil { return nil, fmt.Errorf("connectionpool: unable to open CA certs: %v", err) } - if !certPool.AppendCertsFromPEM(pem) { + if !sslOpts.RootCAs.AppendCertsFromPEM(pem) { return nil, errors.New("connectionpool: failed parsing or CA certs") } } - mycerts := make([]tls.Certificate, 0) if sslOpts.CertPath != "" || sslOpts.KeyPath != "" { mycert, err := tls.LoadX509KeyPair(sslOpts.CertPath, sslOpts.KeyPath) if err != nil { return nil, fmt.Errorf("connectionpool: unable to load X509 key pair: %v", err) } - mycerts = append(mycerts, mycert) - } - - config := &tls.Config{ - Certificates: mycerts, - RootCAs: certPool, + sslOpts.Certificates = append(sslOpts.Certificates, mycert) } - config.InsecureSkipVerify = !sslOpts.EnableHostVerification + sslOpts.InsecureSkipVerify = !sslOpts.EnableHostVerification - return config, nil + return &sslOpts.Config, nil } //NewSimplePool is the function used by gocql to create the simple connection pool.