[CDRIVER-737] SCRAM-SHA-1 should not depend on openssl Created: 08/Jul/15  Updated: 13/Apr/16  Resolved: 13/Apr/16

Status: Closed
Project: C Driver
Component/s: libmongoc, tls
Affects Version/s: None
Fix Version/s: 1.4.0

Type: Improvement Priority: Major - P3
Reporter: Hannes Magnusson Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-520 Add support for native TLS on OSX (Se... Closed
related to CDRIVER-744 Add support for native TLS on Windows... Closed
Epic Link: Native TLS and SCRAM-SHA-1

 Description   

May be required in 1.2 to support Phongo.

Currently authenticating using the MongoDB default SCRAM-SHA-1 authentication mechanism requires compiling the driver against OpenSSL using '--enable-ssl'.

This means, if you don't compile with --enable-ssl you will not be able to login to recent MongoDB versions, and will fail with:

The authentication mechanism "SCRAM-SHA-1" is not supported.

(which I was sure was coming from the server sigh).

See: https://github.com/mongodb/mongo-c-driver/blob/f35fa646779f79c616f04d2323e695d20be8f6a1/src/mongoc/mongoc-cluster.c#L1001-L1018

I think the docs need to updated to mention that building against OpenSSL is required for authentication as-is, and in the future we should probably vendor in things we need to not rely on OpenSSL.

This also causes a lot of test failures all over the place :]



 Comments   
Comment by Hannes Magnusson [ 13/Apr/16 ]

mongoc 1.4.0 supports native crypto libraries on Windows and OSX.
On *nix it requires libcrypto.

Comment by Bernie Hackett [ 15/Jul/15 ]

Perhaps the way forward would be to just always build support for TLS? That would require native TLS support on OSX (CDRIVER-520) and Windows (CDRIVER-744). The patches related to those two tickets implement both TLS and SCRAM-SHA-1 using OS native crypto APIs.

Comment by Githook User [ 14/Jul/15 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-737: Improve SCRAM-SHA-1 failure message
Branch: 1.2.0-dev
https://github.com/mongodb/mongo-c-driver/commit/365c53feafb15b1adc7f0b511d87f4069cd201a2

Comment by A. Jesse Jiryu Davis [ 08/Jul/15 ]

Thanks for figuring this out!

I propose we update the error message and docs in 1.2 to say clearly that the problem is, you can't auth against MongoDB 3.0+ if not configured with --enable-ssl.

If this seems to be a problem for people we can vendor in the algorithms (HMAC and SHA-1?) required to do SCRAM-SHA-1 without OpenSSL. Let's see how this interacts with plans to support native TLS implementations on Mac and Windows. If those libraries provide HMAC and SHA-1 implementations, then we can rely on the native TLS library to help support SCRAM-SHA-1 everywhere, without being much burden on users.

If they do not provide HMAC and SHA-1, that's an additional argument for shipping our own implementation of those algorithms.

Generated at Wed Feb 07 21:10:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.