[CDRIVER-4219] AWS KMS SSL connection is not configurable Created: 05/Nov/21  Updated: 15/Nov/21  Resolved: 15/Nov/21

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Blocker - P1
Reporter: Matthew Piazza Assignee: Kevin Albertson
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates CDRIVER-4206 Support KMIP provider Closed
Case:

 Description   

When attempting to use client-side field level encryption by means of an AWS KMS, I run into the error: 
TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

The Enterprise MongoDB server I am connecting to is version 5.0.3 and does not require an SSL configuration in the connection. 

I have tracked my error down to an inability to set the CA file for the SSL connection to the AWS KMS. In the file "mongo-c-driver-1.19.0/src/libmongoc/src/mongoc/mongoc-crypt.c" there is a _get_stream function whose variable ssl_opts of the type mongoc_ssl_opt_t is filled in with NULL values through the function mongoc_ssl_opt_get_default. I was able to resolve my issue and load and unload encrypted fields successfully by compiling a version of the C driver in which I used _mongoc_getenv to pass in a string that I assigned to the ca_file value of ssl_opts. 

If there is a manner of configuring this SSL connection, I have not found the documentation for it nor a code path that assigns values given by the user. 

 



 Comments   
Comment by Kevin Albertson [ 15/Nov/21 ]

This is resolved by CDRIVER-4206. It enables configuring tlsCAFile, tlsCertificateKeyFile, and tlsCertificateKeyFilePassword with the new functions {{ mongoc_auto_encryption_opts_set_tls_opts}} and {{ mongoc_client_encryption_opts_set_tls_opts}}. It will be part of the C 1.20.0 release. The tentative ETA is Nov 16.

Comment by Kevin Albertson [ 07/Nov/21 ]

Hi mpiazza@abinitio.com, thank you for the feature request. Configuring TLS options for KMS providers is being added in CDRIVER-4206. That will make it possible to configure an equivalent of the ca_file option on TLS connections made to AWS KMS.

 

If there is a manner of configuring this SSL connection, I have not found the documentation for it nor a code path that assigns values given by the user. 

That is correct. There is no way to configure TLS connections for KMS providers currently. The default options from mongoc_ssl_opt_get_default are currently used.

In the meantime, a possible workaround may be to install the necessary CA certificate system-wide.

Generated at Wed Feb 07 21:20:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.