[CDRIVER-737] SCRAM-SHA-1 should not depend on openssl Created: 08/Jul/15 Updated: 13/Apr/16 Resolved: 13/Apr/16 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | libmongoc, tls |
| Affects Version/s: | None |
| Fix Version/s: | 1.4.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Hannes Magnusson | Assignee: | Hannes Magnusson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Epic Link: | Native TLS and SCRAM-SHA-1 | ||||||||||||
| Description |
|
May be required in 1.2 to support Phongo. Currently authenticating using the MongoDB default SCRAM-SHA-1 authentication mechanism requires compiling the driver against OpenSSL using '--enable-ssl'. This means, if you don't compile with --enable-ssl you will not be able to login to recent MongoDB versions, and will fail with:
(which I was sure was coming from the server sigh). I think the docs need to updated to mention that building against OpenSSL is required for authentication as-is, and in the future we should probably vendor in things we need to not rely on OpenSSL. This also causes a lot of test failures all over the place :] |
| Comments |
| Comment by Hannes Magnusson [ 13/Apr/16 ] |
|
mongoc 1.4.0 supports native crypto libraries on Windows and OSX. |
| Comment by Bernie Hackett [ 15/Jul/15 ] |
|
Perhaps the way forward would be to just always build support for TLS? That would require native TLS support on OSX ( |
| Comment by Githook User [ 14/Jul/15 ] |
|
Author: {u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}Message: |
| Comment by A. Jesse Jiryu Davis [ 08/Jul/15 ] |
|
Thanks for figuring this out! I propose we update the error message and docs in 1.2 to say clearly that the problem is, you can't auth against MongoDB 3.0+ if not configured with --enable-ssl. If this seems to be a problem for people we can vendor in the algorithms (HMAC and SHA-1?) required to do SCRAM-SHA-1 without OpenSSL. Let's see how this interacts with plans to support native TLS implementations on Mac and Windows. If those libraries provide HMAC and SHA-1 implementations, then we can rely on the native TLS library to help support SCRAM-SHA-1 everywhere, without being much burden on users. If they do not provide HMAC and SHA-1, that's an additional argument for shipping our own implementation of those algorithms. |