[CDRIVER-935] mongoc_client_set_ssl_opts should require SSL Created: 14/Oct/15  Updated: 08/May/17  Resolved: 18/Nov/15

Status: Closed
Project: C Driver
Component/s: libmongoc, tls
Affects Version/s: 1.2.0
Fix Version/s: 1.2.1, 1.3.0-rc0

Type: Improvement Priority: Major - P3
Reporter: A. Jesse Jiryu Davis Assignee: A. Jesse Jiryu Davis
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by CDRIVER-933 mongoc_ssl_opt_get_default changed in... Closed
Related
related to CDRIVER-970 Prohibit creating client or pool with... Closed
is related to CDRIVER-2153 mongoc_client_pool_t cannot connect t... Closed

 Description   

A behavior change, but worth it: right now, including "ssl=true" in the URI means the driver connects to the server with SSL. Calling mongoc_client_set_ssl_opts without "ssl=true" does not; the driver still uses a plain-text connection.

Calling mongoc_client_set_ssl_opts should be synonymous with imply "ssl=true".

Already fixed in 1.2 for single-threaded clients, since mongoc_client_set_ssl_opts calls mongoc_topology_scanner_set_ssl_opts. Thus all scanner-node streams are SSL, and the client shares its streams with the scanner nodes.

Not yet fixed for pooled clients, however. In fact, a pooled client on which you call mongoc_client_set_ssl_opts but don't include "ssl=true" won't work because (I expect) it will use SSL for scanner-node connections on its scanner thread, but plain-text connections for the clients.

To complete this ticket, fix pooled client behavior when "ssl=true" is omitted but mongoc_client_set_ssl_opts is called.



 Comments   
Comment by A. Jesse Jiryu Davis [ 18/Nov/15 ]

Merged into "master" from 1.2 branch.

Comment by Githook User [ 04/Nov/15 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: Merge branch 'r1.2'

Comment by Githook User [ 04/Nov/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-935 pooled clients require SSL if opts set

In 1.1.x, all clients (pooled and single-threaded) required an SSL
connection to the server only if "ssl=true" was in the URI. In 1.2.0
this changed unintentionally (but beneficially) for single-threaded
clients: setting a single-threaded client's SSL options put the client
in SSL mode, even if "ssl=true" is omitted from the URI.

Pooled clients, however, stopped working entirely if the options are
set but "ssl=true" is omitted. This patch fixes pooled clients and
tests the new behavior for both.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/6860079b0e9cdbe21eeb8f83182e2c504c652077

Comment by A. Jesse Jiryu Davis [ 30/Oct/15 ]

This patch is now waiting to be merged into 1.3.

Comment by A. Jesse Jiryu Davis [ 29/Oct/15 ]

Fixed in 1.2.1.

Comment by Githook User [ 29/Oct/15 ]

Author:

{u'username': u'ajdavis', u'name': u'A. Jesse Jiryu Davis', u'email': u'jesse@mongodb.com'}

Message: CDRIVER-935 pooled clients require SSL if opts set

In 1.1.x, all clients (pooled and single-threaded) required an SSL
connection to the server only if "ssl=true" was in the URI. In 1.2.0
this changed unintentionally (but beneficially) for single-threaded
clients: setting a single-threaded client's SSL options put the client
in SSL mode, even if "ssl=true" is omitted from the URI.

Pooled clients, however, stopped working entirely if the options are
set but "ssl=true" is omitted. This patch fixes pooled clients and
tests the new behavior for both.
Branch: r1.2
https://github.com/mongodb/mongo-c-driver/commit/6860079b0e9cdbe21eeb8f83182e2c504c652077

Comment by A. Jesse Jiryu Davis [ 15/Oct/15 ]

Update mongoc_client_default_stream_initiator:

https://github.com/ajdavis/mongo-c-driver/blob/5e4fa5ced838276fcbf0f49469d970455b2c68d6/src/mongoc/mongoc-client.c#L320-L320

Generated at Wed Feb 07 21:11:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.