GODRIVER-3321 Fix CSE SetTLSConfig option. #1900
Conversation
API Change ReportNo changes found! |
matthewdale
added
priority-1-high
matthewdale
force-pushed
the
godriver3321-fix-kmip
branch
from
6ade819 to
b7a77c8
Compare
There was a problem hiding this comment.
I doubt if we need to deep-copy the tlsOpts, which happens to be a map. The root cause of the test failure is that we lazy-apply (apply-by-need?) the option values in our new option pattern, while the maps (and slices) in the Golang are reference types. Therefore, when we reuse the map in the test cases, options are overwritten accidentally.
I think we only need to document the "SetOption" behavior because the de facto pass-by-reference is familiar to Go developers though it's not intuitive.
On the other hand, if we are going to deep-copy the tlsOpts, it would be better deep-copy other options in reference types as well to avoid any surprising behavior.
|
@qingyang-hu you're correct, only // Use TLS min version 1.2 to enforce more secure hash algorithms and
// advanced cipher suites.
if config.MinVersion == 0 {
config.MinVersion = tls.VersionTLS12
}I believe the copy was made to prevent modifying the input values, but it's not actually a deep copy because the In any case, Go 1.18 changed the default to TLS 1.2 (see here), so all of that additional logic is now unnecessary because it matches the new Go default. TLDR: I will remove the ineffective and unnecessary copy and rewrite the test to use map literals. |
GODRIVER-3321
Summary
Immediately make a copy of the TLS config map in
ClientEncryptionOptionsBuilder.SetTLSConfigandAutoEncryptionOptionsBuilder.SetTLSConfigto prevent the map values from changing before the option function is called.Background & Motivation
Currently, if you modify the TLS config map passed to
ClientEncryptionOptionsBuilder.SetTLSConfigorAutoEncryptionOptionsBuilder.SetTLSConfigbefore passing the options toNewClientEncryption, the TLS config map passed toNewClientEncryptionwill unexpectedly change. That's because the option function is a closure over the original map. Instead, we should make a copy of the map in the setter body and pass that copy into the option function.