Problem Statement/Rationale

mongosh statically links OpenSSL. This conflicts with a potential transitive OpenSSL dependency in libraries that mongosh depends on, such as kerberos, which happens to depend on the system OpenSSL installation in RHEL8/9-based operating systems.

Steps to Reproduce

Apply https://gist.github.com/addaleax/2427e73e5306aae189005344d13b120e to mongosh, then run the connectivity test suite.

Expected Results

Successful tests.

Actual Results

Segmentation faults. Stack trace from the original user report: https://gist.github.com/addaleax/d3680ffd4e21cd6e104095da89b95c21

Additional Notes

ldd -v /usr/bin/mongosh output: https://gist.github.com/addaleax/12f744be7030aacafc5dc13afa1b9836

This seems relatively high-priority, because:

• It results in crashes without any helpful information for the user
• It can lead to arbitrary memory corruption in mongosh processes.
  The only reason I’m not opening this as P2 is that it has a reliable and safe workaround (namely, using the shared-OpenSSL binaries).

Unfortunately, fixing this is not trivial. Possible approaches would be to:

• Stop statically linking the Node.js kerberos addon. This breaks with our goal to provide a single-binary experience for mongosh users.
• Adjust the Node.js kerberos addon to (enable) loading kerberos functions at runtime. This adds a bit of complexity to the Node.js addon, but removes kerberos as a hard runtime dependency for mongosh.
• Disable kerberos as a feature in static-OpenSSL builds of mongosh.
• …?