-
Notifications
You must be signed in to change notification settings - Fork 533
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support mTLS connections (key and CA signed cert) #523
Comments
I have TLS enabled ClickHouse with user name and password since you have mentioned in the above statement that -->user name(same as server configuration and Common Name in certificate) is still needed, with empty password. So How to connect to clickhouse with username and password? |
Hi @rajjat0602, you can only pick one from password and certificate for authentication. It seems the 3 files(tls.crt , tls.key and ca.crt) are only for server setup and you don't have client certificate. If that's the case, I think you just need set ssl=true and sslmode=NONE without specify any certificate or key. If you want to ensure the client is connecting to a trusted server, you can specify root certificate so it's something like ssl=true, sslmode=STRICT and sslrootcert=ca.crt. |
hi I am trying to connect to tcp port which is enabled with SSL using clickhouse-jdbc but I am getting below error I have passed sslrootcert which is a cert file |
I didn't find a way to add a key to
sslrootcert
, or pass the key in any other way.Probably because the keystore is created only from X.509 format.
https://github.com/ClickHouse/clickhouse-jdbc/blob/4332286/src/main/java/ru/yandex/clickhouse/util/ClickHouseHttpClientBuilder.java#L194-L199
I see that the idea to use
sslrootcert
is inherited from the postgresql driver #95, #96Maybe also need to support the
sslcert
,sslkey
(for PKCS-8) settings. https://jdbc.postgresql.org/documentation/head/ssl-client.htmlIt would be desirable to receive a standard possibility to specify the key and CA signed certificate in connection url:
like postgresql too.
Without this, it is not possible to use clickhouse-jdbc with mTLS in products such as gatagrep or dbeaver.
The text was updated successfully, but these errors were encountered: