[CDRIVER-4219] AWS KMS SSL connection is not configurable Created: 05/Nov/21 Updated: 15/Nov/21 Resolved: 15/Nov/21 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | libmongoc |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Blocker - P1 |
| Reporter: | Matthew Piazza | Assignee: | Kevin Albertson |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
When attempting to use client-side field level encryption by means of an AWS KMS, I run into the error: The Enterprise MongoDB server I am connecting to is version 5.0.3 and does not require an SSL configuration in the connection. I have tracked my error down to an inability to set the CA file for the SSL connection to the AWS KMS. In the file "mongo-c-driver-1.19.0/src/libmongoc/src/mongoc/mongoc-crypt.c" there is a _get_stream function whose variable ssl_opts of the type mongoc_ssl_opt_t is filled in with NULL values through the function mongoc_ssl_opt_get_default. I was able to resolve my issue and load and unload encrypted fields successfully by compiling a version of the C driver in which I used _mongoc_getenv to pass in a string that I assigned to the ca_file value of ssl_opts. If there is a manner of configuring this SSL connection, I have not found the documentation for it nor a code path that assigns values given by the user.
|
| Comments |
| Comment by Kevin Albertson [ 15/Nov/21 ] |
|
This is resolved by |
| Comment by Kevin Albertson [ 07/Nov/21 ] |
|
Hi mpiazza@abinitio.com, thank you for the feature request. Configuring TLS options for KMS providers is being added in
That is correct. There is no way to configure TLS connections for KMS providers currently. The default options from mongoc_ssl_opt_get_default are currently used. In the meantime, a possible workaround may be to install the necessary CA certificate system-wide. |