api: remove ssl

.github/workflows/testing.yml

@@ -103,107 +103,6 @@ jobs:
           make test
           make testrace
 
-      - name: Run regression tests with disabled SSL
-        run: |
-          make test TAGS="go_tarantool_ssl_disable"
-          make testrace TAGS="go_tarantool_ssl_disable"
-
-      - name: Run fuzzing tests
-        if: ${{ matrix.fuzzing }}
-        run: make fuzzing TAGS="go_tarantool_decimal_fuzzing"
-
-      - name: Run tests, collect code coverage data and send to Coveralls
-        if: ${{ matrix.coveralls }}
-        env:
-          COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          make coveralls
-
-      - name: Check workability of benchmark tests
-        run: make bench-deps bench DURATION=1x COUNT=1
-
-  run-tests-ee:
-    # The same as for run-tests-ce, but it does not run on pull requests from
-    # forks and on forks by default. Tests from forks will run only when the
-    # pull request is labeled with `full-ci`. To avoid security problems, the
-    # label must be reset manually for every run.
-    #
-    # We need to use `pull_request_target` because it has access to base
-    # repository secrets unlike `pull_request`.
-    if: |
-      github.repository == 'tarantool/go-tarantool' &&
-      (github.event_name == 'push' ||
-        (github.event_name == 'pull_request_target' &&
-          github.event.pull_request.head.repo.full_name != github.repository &&
-          github.event.label.name == 'full-ci')) ||
-      github.event_name == 'workflow_dispatch'
-
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        sdk-path:
-          - 'release/linux/x86_64/1.10/'
-        sdk-version:
-          - 'sdk-1.10.15-0-r598'
-        coveralls: [false]
-        fuzzing: [false]
-        ssl: [false]
-        include:
-          - sdk-path: 'release/linux/x86_64/2.10/'
-            sdk-version: 'sdk-gc64-2.10.8-0-r598.linux.x86_64'
-            coveralls: false
-            ssl: true
-          - sdk-path: 'release/linux/x86_64/2.11/'
-            sdk-version: 'sdk-gc64-2.11.1-0-r598.linux.x86_64'
-            coveralls: true
-            ssl: true
-
-    steps:
-      - name: Clone the connector
-        # `ref` as merge request is needed for pull_request_target because this
-        # target runs in the context of the base commit of the pull request.
-        uses: actions/checkout@v3
-        if: github.event_name == 'pull_request_target'
-        with:
-          ref: refs/pull/${{ github.event.pull_request.number }}/merge
-
-      - name: Clone the connector
-        if: github.event_name != 'pull_request_target'
-        uses: actions/checkout@v3
-
-      - name: Setup Tarantool ${{ matrix.sdk-version }}
-        run: |
-          ARCHIVE_NAME=tarantool-enterprise-${{ matrix.sdk-version }}.tar.gz
-          curl -O -L https://${{ secrets.SDK_DOWNLOAD_TOKEN }}@download.tarantool.io/enterprise/${{ matrix.sdk-path }}${ARCHIVE_NAME}
-          tar -xzf ${ARCHIVE_NAME}
-          rm -f ${ARCHIVE_NAME}
-
-      - name: Setup golang for the connector and tests
-        uses: actions/setup-go@v3
-        with:
-          go-version: 1.13
-
-      - name: Install test dependencies
-        run: |
-          source tarantool-enterprise/env.sh
-          make deps
-
-      - name: Run regression tests
-        run: |
-          source tarantool-enterprise/env.sh
-          make test
-          make testrace
-        env:
-          TEST_TNT_SSL: ${{matrix.ssl}}
-
-      - name: Run regression tests with disabled SSL
-        run: |
-          source tarantool-enterprise/env.sh
-          make test TAGS="go_tarantool_ssl_disable"
-          make testrace TAGS="go_tarantool_ssl_disable"
-
       - name: Run fuzzing tests
         if: ${{ matrix.fuzzing }}
         run: make fuzzing TAGS="go_tarantool_decimal_fuzzing"
@@ -212,9 +111,7 @@ jobs:
         if: ${{ matrix.coveralls }}
         env:
           COVERALLS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          TEST_TNT_SSL: ${{matrix.ssl}}
         run: |
-          source tarantool-enterprise/env.sh
           make coveralls
 
       - name: Check workability of benchmark tests
@@ -376,12 +273,6 @@ jobs:
           make test
           make testrace
 
-      - name: Run regression tests with disabled SSL
-        run: |
-          cd "${SRCDIR}"
-          make test TAGS="go_tarantool_ssl_disable"
-          make testrace TAGS="go_tarantool_ssl_disable"
-
       - name: Run fuzzing tests
         if: ${{ matrix.fuzzing }}
         run: |

CHANGELOG.md

@@ -15,7 +15,6 @@ Versioning](http://semver.org/spec/v2.0.0.html) except to the first release.
 - IsNullable flag for Field (#302)
 - More linters on CI (#310)
 - Meaningful description for read/write socket errors (#129)
-- Support password and password file to decrypt private SSL key file (#319)
 - Support `operation_data` in `crud.Error` (#330) 
 - Support `fetch_latest_metadata` option for crud requests with metadata (#335)
 - Support `noreturn` option for data change crud requests (#335)
@@ -125,6 +124,7 @@ Versioning](http://semver.org/spec/v2.0.0.html) except to the first release.
 - Code() method from the Request interface (#158)
 - `Schema` field from the `Connection` struct (#7)
 - `OkCode` and `PushCode` constants (#237)
+- SSL support (#301)
 
 ### Fixed
 

CONTRIBUTING.md

@@ -34,20 +34,6 @@ make testrace
 The tests set up all required `tarantool` processes before run and clean up
 afterwards.
 
-If you want to run the tests with specific build tags:
-```bash
-make test TAGS=go_tarantool_ssl_disable
-make testrace TAGS=go_tarantool_ssl_disable
-```
-
-If you have Tarantool Enterprise Edition 2.10 or newer, you can run additional
-SSL tests. To do this, you need to set an environment variable 'TEST_TNT_SSL':
-
-```bash
-TEST_TNT_SSL=true make test
-TEST_TNT_SSL=true make testrace
-```
-
 If you want to run the tests for a specific package:
 ```bash
 make test-<SUBDIR>

README.md

@@ -68,11 +68,7 @@ We define multiple [build tags](https://pkg.go.dev/go/build#hdr-Build_Constraint
 
 This allows us to introduce new features without losing backward compatibility.
 
-1. To disable SSL support and linking with OpenSSL, you can use the tag:
-   ```
-   go_tarantool_ssl_disable
-   ```
-2. To run fuzz tests with decimals, you can use the build tag:
+1. To run fuzz tests with decimals, you can use the build tag:
    ```
    go_tarantool_decimal_fuzzing
    ```
@@ -169,6 +165,60 @@ otherwise it will have a description which can be retrieved with `err.Error()`.
 by the method `Do` of object `conn` which is the object that was returned
 by `Connect()`.
 
+### Example with encrypting traffic
+
+For SSL-enabled connections, use `OpenSSLDialer` from the [`go-tlsdialer`](https://github.com/tarantool/go-tlsdialer)
+package.
+
+Here is small example with importing `go-tlsdialer` and using the
+`OpenSSLDialer`:
+
+```go
+package tarantool
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/tarantool/go-tarantool/v2"
+	"github.com/tarantool/go-tlsdialer"
+)
+
+func main() {
+	sslDialer := tlsdialer.OpenSSLDialer{
+		Address:     "127.0.0.1:3013", 
+		User:        "test", 
+		Password:    "test", 
+		SslKeyFile:  "testdata/localhost.key",
+		SslCertFile: "testdata/localhost.crt",
+		SslCaFile:   "testdata/ca.crt",
+	}
+	opts := tarantool.Opts{
+		Timeout: time.Second,
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 500*time.Millisecond)
+	defer cancel()
+	conn, err := tarantool.Connect(ctx, sslDialer, opts)
+	if err != nil {
+		fmt.Printf("Connection refused: %s", err)
+	}
+
+	data, err := conn.Do(tarantool.NewInsertRequest(999).
+		Tuple([]interface{}{99999, "BB"}), 
+	).Get()
+	if err != nil {
+		fmt.Printf("Error: %s", err)
+	} else {
+		fmt.Printf("Data: %v", data)
+	}
+}
+```
+
+Note that [traffic encryption](https://www.tarantool.io/en/doc/latest/enterprise/security/#encrypting-traffic)
+is only available in Tarantool Enterprise Edition 2.10 or newer.
+
 ### Migration to v2
 
 The article describes migration from go-tarantool to go-tarantool/v2.
@@ -315,8 +365,10 @@ and user may cancel it in process.
 
 Now you need to pass `Dialer` as the second argument instead of URI.
 If you were using a non-SSL connection, you need to create `NetDialer`.
-For SSL-enabled connections, use `OpenSslDialer`. Please note that the options
-for creating a connection are now stored in corresponding `Dialer`, not in `Opts`.
+For SSL-enabled connections, use `OpenSSLDialer` from the `go-tlsdialer`
+package.
+Please note that the options for creating a connection are now stored in
+corresponding `Dialer`, not in `Opts`.
 
 #### Connection schema
 

dial.go

@@ -205,115 +205,6 @@ func (d NetDialer) Dial(ctx context.Context, opts DialOpts) (Conn, error) {
 	return dialer.Dial(ctx, opts)
 }
 
-type openSslDialer struct {
-	address         string
-	sslKeyFile      string
-	sslCertFile     string
-	sslCaFile       string
-	sslCiphers      string
-	sslPassword     string
-	sslPasswordFile string
-}
-
-func (d openSslDialer) Dial(ctx context.Context, opts DialOpts) (Conn, error) {
-	var err error
-	conn := new(tntConn)
-
-	network, address := parseAddress(d.address)
-	conn.net, err = sslDialContext(ctx, network, address, sslOpts{
-		KeyFile:      d.sslKeyFile,
-		CertFile:     d.sslCertFile,
-		CaFile:       d.sslCaFile,
-		Ciphers:      d.sslCiphers,
-		Password:     d.sslPassword,
-		PasswordFile: d.sslPasswordFile,
-	})
-	if err != nil {
-		return nil, fmt.Errorf("failed to dial: %w", err)
-	}
-
-	dc := &deadlineIO{to: opts.IoTimeout, c: conn.net}
-	conn.reader = bufio.NewReaderSize(dc, bufSize)
-	conn.writer = bufio.NewWriterSize(dc, bufSize)
-
-	return conn, nil
-}
-
-// OpenSslDialer allows to use SSL transport for connection.
-type OpenSslDialer struct {
-	// Address is an address to connect.
-	// It could be specified in following ways:
-	//
-	// - TCP connections (tcp://192.168.1.1:3013, tcp://my.host:3013,
-	// tcp:192.168.1.1:3013, tcp:my.host:3013, 192.168.1.1:3013, my.host:3013)
-	//
-	// - Unix socket, first '/' or '.' indicates Unix socket
-	// (unix:///abs/path/tnt.sock, unix:path/tnt.sock, /abs/path/tnt.sock,
-	// ./rel/path/tnt.sock, unix/:path/tnt.sock)
-	Address string
-	// Auth is an authentication method.
-	Auth Auth
-	// Username for logging in to Tarantool.
-	User string
-	// User password for logging in to Tarantool.
-	Password string
-	// RequiredProtocol contains minimal protocol version and
-	// list of protocol features that should be supported by
-	// Tarantool server. By default, there are no restrictions.
-	RequiredProtocolInfo ProtocolInfo
-	// SslKeyFile is a path to a private SSL key file.
-	SslKeyFile string
-	// SslCertFile is a path to an SSL certificate file.
-	SslCertFile string
-	// SslCaFile is a path to a trusted certificate authorities (CA) file.
-	SslCaFile string
-	// SslCiphers is a colon-separated (:) list of SSL cipher suites the connection
-	// can use.
-	//
-	// We don't provide a list of supported ciphers. This is what OpenSSL
-	// does. The only limitation is usage of TLSv1.2 (because other protocol
-	// versions don't seem to support the GOST cipher). To add additional
-	// ciphers (GOST cipher), you must configure OpenSSL.
-	//
-	// See also
-	//
-	// * https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
-	SslCiphers string
-	// SslPassword is a password for decrypting the private SSL key file.
-	// The priority is as follows: try to decrypt with SslPassword, then
-	// try SslPasswordFile.
-	SslPassword string
-	// SslPasswordFile is a path to the list of passwords for decrypting
-	// the private SSL key file. The connection tries every line from the
-	// file as a password.
-	SslPasswordFile string
-}
-
-// Dial makes OpenSslDialer satisfy the Dialer interface.
-func (d OpenSslDialer) Dial(ctx context.Context, opts DialOpts) (Conn, error) {
-	dialer := AuthDialer{
-		Dialer: ProtocolDialer{
-			Dialer: GreetingDialer{
-				Dialer: openSslDialer{
-					address:         d.Address,
-					sslKeyFile:      d.SslKeyFile,
-					sslCertFile:     d.SslCertFile,
-					sslCaFile:       d.SslCaFile,
-					sslCiphers:      d.SslCiphers,
-					sslPassword:     d.SslPassword,
-					sslPasswordFile: d.SslPasswordFile,
-				},
-			},
-			RequiredProtocolInfo: d.RequiredProtocolInfo,
-		},
-		Auth:     d.Auth,
-		Username: d.User,
-		Password: d.Password,
-	}
-
-	return dialer.Dial(ctx, opts)
-}
-
 type fdAddr struct {
 	Fd uintptr
 }