[CDRIVER-744] Add support for native TLS on Windows (Secure Channel) Created: 15/Jul/15  Updated: 10/Aug/16  Resolved: 27/May/16

Status: Closed
Project: C Driver
Component/s: libmongoc, tls
Affects Version/s: None
Fix Version/s: 1.4.0

Type: New Feature Priority: Major - P3
Reporter: Bernie Hackett Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-1107 Windows + Secure Channel Build varian... Closed
is related to CDRIVER-737 SCRAM-SHA-1 should not depend on openssl Closed
Epic Link: Native TLS and SCRAM-SHA-1

 Description   

Similar to CDRIVER-520. This would make building on Windows a lot easier for us and our users.

mark.benvenuto has an implementation here:
https://github.com/markbenvenuto/mongo-c-driver/commit/ec6502f9f7c6e4eb72dd32affba6666fb2d8432d

Note that this change implements both TLS and SCRAM-SHA-1.



 Comments   
Comment by Hannes Magnusson [ 27/May/16 ]

To enable Secure Channel (NativeTLS on Windows):

cmake -G Visual Studio 14 2015 Win64 "-DENABLE_SSL=WINDOWS"

The default value is still OpenSSL in mongoc 1.4.0

This implementation is fully compatible with the existing mongoc_ssl_opt_t options
(e.g. mongoc_ssl_opt_t.[pem_file|ca_file|crl_file]), with the exception of ca_dir and pem_pwd (e.g. OpenSSL hash directory containing CA certificates, and password protected private keys).

By default, enabling NativeTLS on Windows will lookup in the Windows Certificate Store, unless otherwise configured by the mongoc_ssl_opt_t

Comment by Githook User [ 27/May/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-744: Run the dedicated SSL tests on Windows
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/251f62eff0921de13b44790383e522ed9ecd0261

Comment by Githook User [ 27/May/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-744: Remove unused variables, and fix missing format character
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/bfee60f4dfea262a5e86aa10d00ccc8d4f513bd8

Comment by Githook User [ 27/May/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-744: Add support for ssl_opts.crl_file and ssl_opts.pem_file
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/2128e4579406cee17b0081e445f90b09bcfbc831

Comment by Hannes Magnusson [ 18/May/16 ]

Remaining tasks:

  • Support ssl_opts.crl_file
  • Support ssl_opts.pem_file (currently only supported through currently-hardcoded subject name "client" through the certificate store)
Comment by Githook User [ 18/May/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-744: Import ca_file into the CA Certificate Store
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/e1669db76d06a9ba55bc649314763332316cb2d7

Comment by Githook User [ 18/May/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-744: Secure Channel Support
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/b163c93ea2278587fbabf08c8f656ba644758e39

Comment by Githook User [ 04/Apr/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-744: Native SCRAM-SHA-1 authentication on Windows

Enable with cmake -DENABLE_SSL=WINDOWS.
The default is still to build against OpenSSL, if available.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/00dd9a4d27e69c2da5c2c8d686b7ce248c2fc279

Comment by Githook User [ 04/Apr/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-744: Initial skeleton
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/e73c3c25d806e8fe3a042b79ec7bd8f0faa6521b

Comment by Mark Benvenuto [ 15/Jul/15 ]

Here the status of work

  1. Supports Windows Vista/2008 & later
  2. SCRAM (HMAC & SHA1) are implemented
  3. Secure Random number generator is implemented
  4. SSL/TLS is implemented

TODO

  1. Add support for SSL session renegotiation
  2. Settle on the right interface for mongoc_ssl_opt_t since the Windows SSL stack uses a differ mechanism for propagating certificate information then OpenSSL. I believe you should remove pem_file and other members when compiling in the native Windows SSL mode.
Comment by Bernie Hackett [ 15/Jul/15 ]

mark.benvenuto, can you add some notes about the state of your implementation (how complete it is, what versions of Windows it supports, etc.)?

Generated at Wed Feb 07 21:10:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.