[CDRIVER-2722] Reimplement macOS TLS layer in terms of non-deprecated APIs Created: 25/Jun/18  Updated: 15/Nov/23

Status: Backlog
Project: C Driver
Component/s: tls
Affects Version/s: 1.11.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Katherine Walker (Inactive) Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Gantt End to End
has to be finished together with CDRIVER-3461 Deprecated SSL functions when compili... Backlog
Related
is related to PHPC-1058 Build Warnings on OSX Closed
is related to CDRIVER-3461 Deprecated SSL functions when compili... Backlog
is related to CDRIVER-2700 Can we remove -Wno-deprecated-declara... Closed
Epic Link: CDRIVER-4575
Quarter: FY25Q1

 Description   

Secure Transport is deprecated. Let's reimplement the macOS TLS layer with the Network framework.

Original description:
The PHP driver is now using libmongoc 1.11.0, which introduced the following warning regarding SSLSetTrustedRoots:

/Users/katherinewalker/drivers/driver-mongo-php/src/libmongoc/src/libmongoc/src/mongoc/mongoc-secure-transport.c:427:18: warning:
      'SSLSetTrustedRoots' is deprecated: first deprecated in macOS 10.9 [-Wdeprecated-declarations]
      success = !SSLSetTrustedRoots (
                 ^
/System/Library/Frameworks/Security.framework/Headers/SecureTransport.h:1030:1: note: 'SSLSetTrustedRoots' has been explicitly marked
      deprecated here
SSLSetTrustedRoots                      (SSLContextRef          context,
^



 Comments   
Comment by Kevin Albertson [ 15/Jun/20 ]

All of Secure Transport is considered deprecated: https://developer.apple.com/documentation/security/secure_transport?language=objc. If we want to move off of all deprecated API, we may need to switch to https://developer.apple.com/documentation/network

Comment by A. Jesse Jiryu Davis [ 28/Jun/18 ]

Let's add a config check and use the latest Apple SSL APIs if possible:

https://developer.apple.com/documentation/security/1503776-sslsettrustedroots

... or if they've been available long enough, unconditionally stop using the old API.

The server code for the latest APIs:

https://github.com/mongodb/mongo/blob/0c532a429d4e6f1d8473b6b4f04bf21f6b6f76cb/src/mongo/util/net/ssl_manager_apple.cpp#L969

And cURL:

https://github.com/curl/curl/blob/3f3b26d6feb0667714902e836af608094235fca2/lib/vtls/darwinssl.c#L2217

Generated at Wed Feb 07 21:16:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.