[CDRIVER-520] Add support for native TLS on OSX (Secure Transport) Created: 30/Jan/15  Updated: 08/Jan/24  Resolved: 15/Mar/16

Status: Closed
Project: C Driver
Component/s: libmongoc, tls
Affects Version/s: 1.1.0
Fix Version/s: 1.4.0

Type: New Feature Priority: Major - P3
Reporter: Mira Carey Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-941 'openssl/bio.h' not found on OS X 10.11 Closed
related to CDRIVER-974 -Wno-deprecated-declarations not supp... Closed
related to CDRIVER-1148 /Async/ismaster_ssl fails on Darwin N... Closed
related to CDRIVER-1162 mongoc-stream-tls-private.h is broken... Closed
related to CDRIVER-1166 CMake option to build with native TLS... Closed
related to CDRIVER-1147 Use SSL_shutdown on OpenSSL connections? Closed
related to CDRIVER-2700 Can we remove -Wno-deprecated-declara... Closed
related to CDRIVER-1106 OSX + Secure Transport Build variant ... Closed
related to CDRIVER-1122 Don't just fork(), exec(), in the tes... Closed
related to CDRIVER-1146 SecIdentityCreate research Closed
related to CDRIVER-1169 SSLSetCertificateAuthorities fails, w... Closed
is related to CDRIVER-737 SCRAM-SHA-1 should not depend on openssl Closed
Epic Link: Native TLS and SCRAM-SHA-1

 Description   

To enable: ./configure --enable-ssl=darwin

Note that by default --enable-ssl still prefers OpenSSL, if availble. This is for backwards compatibility reasons of existing expectations.

This implementation uses the OpenSSL traditional PEM file, and
implements most of the currently supported mongoc_ssl_opt_t options.
The certificates are never imported or loaded into the the keychain.
They are simply read on-demand and transformed into Secure Transport
supported format using SecItemImport.

Note that the configured certificates are expected to be available
and valid during the lifetime of the session. This is consistent
with the OpenSSL implementation and expectations.

Certificate Authority checks:
If mongoc_ssl_opt_t.ca_file is provided the server certificate
MUST be issued by that Certificate Authority. When no .ca_file
is provided, we'll verify the server certificate against the
default (and additionally currently open) keychains. This makes
it unnecessary to provide the .ca_file for commercially bought
certificates, while at the same time - if you do want to
guarantee that the certificate is only issued by that specific
CA you can do so.

Providing client certificates:
mongoc_ssl_opt_t.pem_file can be configured to point at a client
PEM file, containing both the private key and public key
certificates. Optionally, mongoc_ssl_opt_t.pem_pwd can be
configured with the passphrase if the private key is passphrase
protected.

X.509 Authentication username extraction:
As with the OpenSSL implementation, the RFC2253 formatted
certificate subject name is extracted from the certificate.
This makes providing the username for X.509 authentication
optional.

Notable differences to OpenSSL:
mongoc_ssl_opt_t.ca_dir will ERROR if set.
mongoc_ssl_opt_t.crl_file will ERROR if set.

There is no such concept as ca_dir in Darwin Secure Transport. The closest would be which Keychain.
All certificate evaluation are configured by your trust settings. Revoking a certificate must be done through the keychain.

— Original ticket

We offer TLS support on OSX via openssl, but it'd be a better fit to offer native support through the OS.

It looks like some work has already been done, albeit on a fork that can't easily be PR'd anymore. See if that's a good base to work from:

https://github.com/jeromelebel/mongo-c-driver/blob/master/src/mongoc/mongoc-stream-apple-tls.c

The work to take this over the line would be to port that stream implementation and whatever ifdefs he added in stream initiation in mongoc_client_new



 Comments   
Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'CDRIVER-520'

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Simplify a little
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/3d8cf8617b87ddb9b47fd1461fb6baeba6e1fbf9

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Resolve ENABLE_OPENSSL to work on Darwin too
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/4cd623c4318107a2c0ccb122e393fc990e32d48e

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: We are supposed to resume the handshake having done our "verification"
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/9bc504358d209cd5e76330d60b0752c8ccd813d6

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Simplify trust evaluation, remove copies, issue warnings on unsupported items
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/f4aee802136655ec651d1678bff88f22a16c45ed

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Don't verify hostname for UDS
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/cdf379bb9d4a3a9a842860fe9d8360ba6742d7b4

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Make --enable-ssl autodetect OpenSSL/darwin

Currently the default is OpenSSL for BC

To explicitly use NativeTLS on OSX, do --enable-ssl=darwin
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/bef08f4561afd926b77192299ce3ff514687631b

Comment by Githook User [ 15/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Add support for native TLS on OSX (Secure Transport)

This implementation uses the OpenSSL traditional PEM file, and
implements all the currently supported mongoc_ssl_opt_t options.
The certificates are never imported or loaded into the the keychain.
They are simply read on-demand and transformed into Secure Transport
supported format using SecItemImport.

Note that the configured certificates are expected to be available
and valid during the lifetime of the session. This is consistent
with the OpenSSL implementation and expectations.

  • Certificate Authority checks:
    If mongoc_ssl_opt_t.ca_file is provided the server certificate
    MUST be issued by that Certificate Authority. When no .ca_file
    is provided, we'll verify the server certificate against the
    default (and additionally currently open) keychains. This makes
    it unnecessary to provide the .ca_file for commercially bought
    certificates, while at the same time - if you do want to
    guarantee that the certificate is only issued by that specific
    CA you can do so.
  • Providing client certificates:
    mongoc_ssl_opt_t.pem_file can be configured to point at a client
    PEM file, containing both the private key and public key
    certificates. Optionally, mongoc_ssl_opt_t.pem_pwd can be
    configured with the passphrase if the private key is passphrase
    protected.
Comment by Githook User [ 16/Feb/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Improve file reading
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/570b7b64fbd8b55baea4336f5dbf9256cd850ffa

Comment by Githook User [ 16/Feb/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Extract the Certificate Subject of the provided PEM
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/87507e131ed6de979905eea6d0b9f98c49b904b8

Comment by Githook User [ 16/Feb/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: TLS skeleton for Secure Transport
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/59f7ce02f9543560efd356cd2d69f9c9b2610c99

Comment by Githook User [ 12/Feb/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-520: Add --enable-secure-transport for Darwin Native TLS
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/b7e920eee710e87d1fab871feaa642db80484674

Comment by Githook User [ 14/Jun/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: silence openssl deprecations with autotools

Until CDRIVER-520.
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/a20383033f2803e23f203c6fe7f569bff475dd2f

Comment by Githook User [ 02/Jun/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-520 silence openssl deprecations for now

clang on Mac writes distracting warnings
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/40b35686460fcc6c51f2044976924c81f524d1ad

Comment by A. Jesse Jiryu Davis [ 31/May/15 ]

Sorry for the lack of progress on this, other issues have taken priority. This is scheduled for the 1.3 release this fall.

Comment by Jerome Lebel [ 07/Apr/15 ]

Any update on this issue?

Generated at Wed Feb 07 21:09:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.