[TOOLS-1948] Use Go-native TLS dialer on platforms with openssl 0.9.x - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Critical - P2
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.7.4, 3.4.15, 3.6.5, 4.0.0-rc0
Component/s: All Tools
Labels:
None

Story Points:
5
Epic Link:
TOOLS MongoDB 4.0 Support
Backport Requested:

v3.6, v3.4

Description

Atlas is likely to start offering a TLS 1.2 only mode. This isn't possible with the system openssl on macosx or the openssl with suse11 (or RHEL 5.5). As the openssl wrapper is needed for FIPS support and we don't support FIPS on older versions of openssl anyway, we should implement a Go-native TLS dialer on platforms with 0.9.x.

We can identify ones that have 'openssl_pre_1.0' as a Go build tag – which we're already asking for in ~~SERVER-32922~~ for the wrapper. After this change, that build tag will turn off the wrapper and turn on the Go-native TLS dialer.

The Go-native TLS dialer can likely be adapted from the one that exists for the new Go driver.

Attachments

Issue Links

causes

TOOLS-2587 sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

Closed

is depended on by

TOOLS-1982 Automate testing TLS 1.1 or 1.2 connections on all platforms

Closed

related to

SERVER-32922 Evergreen Go tooltags need 'openssl_pre_1.0' on variants with openssl 0.9.x

Closed

SERVER-34742 Stop running ssl_cert_password.js on OS X

Closed

Activity

People

Assignee:: David Golden

Reporter:: David Golden

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Feb 08 2018 02:56:58 PM UTC

Updated:: Jul 21 2020 12:06:10 PM UTC

Resolved:: Apr 13 2018 07:50:07 PM UTC