Support mTLS connections (key and CA signed cert)

[levonet]

I didn't find a way to add a key to sslrootcert, or pass the key in any other way.

Probably because the keystore is created only from X.509 format.
https://github.com/ClickHouse/clickhouse-jdbc/blob/4332286/src/main/java/ru/yandex/clickhouse/util/ClickHouseHttpClientBuilder.java#L194-L199

I see that the idea to use sslrootcert is inherited from the postgresql driver #95, #96

Maybe also need to support the sslcert, sslkey (for PKCS-8) settings. https://jdbc.postgresql.org/documentation/head/ssl-client.html

It would be desirable to receive a standard possibility to specify the key and CA signed certificate in connection url:

jdbc:clickhouse://localhost:8443/default?ssl=true&sslkey=client.pk8&sslcert=client.crt&sslrootcert=ca.crt

like postgresql too.

Without this, it is not possible to use clickhouse-jdbc with mTLS in products such as gatagrep or dbeaver.

[zhicwu]

Implemented since 0.3.2-patch8. I didn't check how PostgreSQL JDBC driver implemented the feature, but I think it should be all similar.

Couple of things worthy of mention:

1. Use RSA key in PKCS8 format
2. search path of certificate and key files: classpath -> File system(start with ~/.clickhouse first for relative path)
3. set sslmode to STRICT in JDBC driver - set to NONE will always trust server certificate but turn off client auth
   
4. user name(same as server configuration and Common Name in certificate) is still needed, with empty password
5. users.xml

   <clickhouse>
    <users>
      <me>
        <ssl_certificates>
          <common_name>me</common_name>
        </ssl_certificates>
      </me>
    </users>
   </clickhouse>

[rajjat0602]

I have TLS enabled ClickHouse with user name and password since you have mentioned in the above statement that -->user name(same as server configuration and Common Name in certificate) is still needed, with empty password. So How to connect to clickhouse with username and password?

[zhicwu]

Hi @rajjat0602, you can only pick one from password and certificate for authentication.

It seems the 3 files(tls.crt , tls.key and ca.crt) are only for server setup and you don't have client certificate. If that's the case, I think you just need set ssl=true and sslmode=NONE without specify any certificate or key. If you want to ensure the client is connecting to a trusted server, you can specify root certificate so it's something like ssl=true, sslmode=STRICT and sslrootcert=ca.crt.

[mohdmsl]

hi I am trying to connect to tcp port which is enabled with SSL using clickhouse-jdbc but I am getting below error
OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

I have passed sslrootcert which is a cert file