[CDRIVER-4530] Support Non-RSA Certificates for TLS on Windows Created: 01/Dec/22  Updated: 19/Jul/23

Status: Backlog
Project: C Driver
Component/s: tls
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Ezra Chung Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by CXX-2628 Remove Python 3.10 or newer selection... Blocked
Related
is related to CDRIVER-4519 Remove use of activate_venv.sh and ut... Closed
Epic Link: CDRIVER-4575
Quarter: FY24Q3

 Description   

The C Driver's current implementation of SSL/TLS connections on Windows (aka "winssl") uses the Secure Channel library. Specifically, the implementation primarily uses utilities provided by wincrypt.h (aka "CryptoAPI").

However, on top of being deprecated in favor of new Cryptography API: Next Generation (aka "CNG") utilities, they do not support elliptic curve cryptography. This blocked an attempt to update test certificates from RSA to ECC to address the removal of insecure ciphers in Python 3.10 (see CDRIVER-4519).

The C Driver's implementation of TLS connection handers on Windows must be refactored to use utilities provided by bcrypt.h and/or ncrypt.h in order to support certificates using non-RSA signature algorithms.


Generated at Wed Feb 07 21:21:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.