v5.19.0 - Feedback wanted on mutual TLS 📣

[StephenCathcart]

In version 5.19.0 (#577), we introduce a new preview API to the driver, enabling mutual TLS for 2-factor authentication.

A new Driver level configuration option was added, ClientCertificateProvider which accepts an interface of type auth.ClientCertificateProvider. This provider supplies a tls.Certificate which is appended to our tls.Config when establishing a new connection.

We're providing two helper functions to construct a provider, auth.NewStaticClientCertificateProvider and auth.NewRotatingClientCertificateProvider, the former for creating a provider that has a static client certificate and the latter for creating a provider that enables rotation of a client certificate at run time. Both of these functions accept an auth.ClientCertificate struct, which holds paths to a TLS certificate file and its corresponding private key file (with an optional password). Below are examples of using each of these.

Static Client Certificate Provider

password := "thepassword1"
provider, err := auth.NewStaticClientCertificateProvider(auth.ClientCertificate {
  CertFile: "path/to/cert.pem",
  KeyFile:  "path/to/key.pem",
  Password: &password,
})
if err != nil {
  log.Fatalf("Failed to load certificate: %v", err)
}
_, _ = neo4j.NewDriverWithContext("bolt://localhost:7687", neo4j.BasicAuth("neo4j", "password", ""), func(config *config.Config) {
  config.ClientCertificateProvider = provider
})

Rotating Client Certificate Provider

password := "thepassword1"
provider, err := auth.NewRotatingClientCertificateProvider(auth.ClientCertificate {
  CertFile: "path/to/cert.pem",
  KeyFile:  "path/to/key.pem",
  Password: &password,
})
if err != nil {
  log.Fatalf("Failed to load certificate: %v", err)
}
_, _ = neo4j.NewDriverWithContext("bolt://localhost:7687", neo4j.BasicAuth("neo4j", "password", ""), func(config *config.Config) {
  config.ClientCertificateProvider = provider
})
// After a period of time, we decide to update the certificate...
err = provider.UpdateCertificate(auth.ClientCertificate {
  CertFile: "path/to/new_cert.pem",
  KeyFile:  "path/to/new_key.pem",
  Password: &password,
})
if err != nil {
  log.Fatalf("Failed to update certificate: %v", err)
}

Feedback wanted

​
This new API is currently marked as preview. What it means is that we are eagerly waiting for your feedback. Does it work well in your scenario? Do you wish there was more?
​
Let us know so we can correct course in the next releases!