[ENHANCEMENT] More configuration of TLS connections

[xd009642]

Is your feature request related to a problem? Please describe.

I need to configure more TLS settings to meet a customers security policy for a private deployment. I use rusoto with the same customer and they expose https://docs.rs/native-tls/0.2.7/native_tls/struct.TlsConnector.html in their public API when native-tls is used and I'm able to configure the connection as required when creating the client. Ideally, the Elasticsearch bindings will function the same way to enable me to reuse the same connection building code I've already implemented.

[russcam]

Hi @xd009642, what other TLS settings need to be configured?

[xd009642]

So any settings in the builder https://docs.rs/native-tls/0.2.7/native_tls/struct.TlsConnectorBuilder.html disable_built_in_roots is one. I also have another client with private cloud who don't like adding certificates to images so ask us to set danger_accept_invalid_certs so I'll need that if we deploy our ES based solution there.

[xd009642]

I'd also be willing to work on a PR for this, just want to make sure the feature will be accepted in some form or another

[russcam]

It looks like disable_built_in_roots might be the only one missing that might be useful to also have:

• identity is handled with .auth()
• add_root_certificate() and danger_accept_invalid_certs() and danger_accept_invalid_hostnames() are handled with cert_validation()

[xd009642]

Ah brilliant, I missed those in the docs. I'll have a look at a PR for disable_built_in_roots, I imagine it would be a case of adding a field to the CertificationValidation enum as that seems to handle a few things 🤔