<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:11:03 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-933] mongoc_ssl_opt_get_default changed in 1.2.0</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-933</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;Is it intended that `mongoc_ssl_opt_get_default()` will now enforce SSL and disconnect otherwise?&lt;/p&gt;

&lt;p&gt;To reproduce, use &lt;a href=&quot;http://api.mongodb.org/c/current/tutorial.html#connecting&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;connect.c&lt;/a&gt;&lt;br/&gt;
 from the tutorial and add:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mongoc_client_set_ssl_opts(client, mongoc_ssl_opt_get_default());&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;It will no longer connect to non-ssl servers. This was not the case in 1.1&lt;/p&gt;</description>
                <environment></environment>
        <key id="234309">CDRIVER-933</key>
            <summary>mongoc_ssl_opt_get_default changed in 1.2.0</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="jesse@mongodb.com">A. Jesse Jiryu Davis</assignee>
                                    <reporter username="Jeroenooms">Jeroen Ooms [X]</reporter>
                        <labels>
                    </labels>
                <created>Wed, 14 Oct 2015 14:46:30 +0000</created>
                <updated>Mon, 8 May 2017 16:55:12 +0000</updated>
                            <resolved>Thu, 29 Oct 2015 18:53:22 +0000</resolved>
                                    <version>1.2-rc0</version>
                                    <fixVersion>1.2.1</fixVersion>
                                    <component>libmongoc</component>
                    <component>tls</component>
                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="1079595" author="xgen-internal-githook" created="Wed, 4 Nov 2015 18:46:34 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;bjori&apos;, u&apos;name&apos;: u&apos;Hannes Magnusson&apos;, u&apos;email&apos;: u&apos;bjori@php.net&apos;}
&lt;p&gt;Message: Merge branch &apos;r1.2&apos;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;r1.2:&lt;br/&gt;
  post-release bump&lt;br/&gt;
  1.2.1 release&lt;br/&gt;
  update mallard2man.py from libbson&lt;br/&gt;
  &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-882&quot; title=&quot;Aggregate install instructions&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-882&quot;&gt;&lt;del&gt;CDRIVER-882&lt;/del&gt;&lt;/a&gt; rearrange install guide&lt;br/&gt;
  remove link to legacy branch from README&lt;br/&gt;
  &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-933&quot; title=&quot;mongoc_ssl_opt_get_default changed in 1.2.0&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-933&quot;&gt;&lt;del&gt;CDRIVER-933&lt;/del&gt;&lt;/a&gt; note change in ssl opts behavior&lt;br/&gt;
  &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-935&quot; title=&quot;mongoc_client_set_ssl_opts should require SSL&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-935&quot;&gt;&lt;del&gt;CDRIVER-935&lt;/del&gt;&lt;/a&gt; pooled clients require SSL if opts set&lt;br/&gt;
  print mongod command line opts before test&lt;br/&gt;
  evergreen on windows tests the wrong mongo version&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/47767cdee6b43522c8d666e8194239abd4558e3e&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/47767cdee6b43522c8d666e8194239abd4558e3e&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="1079589" author="xgen-internal-githook" created="Wed, 4 Nov 2015 18:46:28 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-933&quot; title=&quot;mongoc_ssl_opt_get_default changed in 1.2.0&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-933&quot;&gt;&lt;del&gt;CDRIVER-933&lt;/del&gt;&lt;/a&gt; note change in ssl opts behavior&lt;/p&gt;

&lt;p&gt;Beginning in version 1.2, once a pool or client has any SSL options&lt;br/&gt;
set, all connections use SSL, even if &quot;ssl=true&quot; is omitted from the&lt;br/&gt;
MongoDB URI. Before, SSL options were ignored unless &quot;ssl=true&quot; was&lt;br/&gt;
included in the URI.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/5ecd693063cbee78fcc9029366207d6354c849a7&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/5ecd693063cbee78fcc9029366207d6354c849a7&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1074479" author="xgen-internal-githook" created="Thu, 29 Oct 2015 18:54:26 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;username&apos;: u&apos;ajdavis&apos;, u&apos;name&apos;: u&apos;A. Jesse Jiryu Davis&apos;, u&apos;email&apos;: u&apos;jesse@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-933&quot; title=&quot;mongoc_ssl_opt_get_default changed in 1.2.0&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-933&quot;&gt;&lt;del&gt;CDRIVER-933&lt;/del&gt;&lt;/a&gt; note change in ssl opts behavior&lt;/p&gt;

&lt;p&gt;Beginning in version 1.2, once a pool or client has any SSL options&lt;br/&gt;
set, all connections use SSL, even if &quot;ssl=true&quot; is omitted from the&lt;br/&gt;
MongoDB URI. Before, SSL options were ignored unless &quot;ssl=true&quot; was&lt;br/&gt;
included in the URI.&lt;br/&gt;
Branch: r1.2&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/commit/5ecd693063cbee78fcc9029366207d6354c849a7&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-c-driver/commit/5ecd693063cbee78fcc9029366207d6354c849a7&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1069190" author="bjori" created="Fri, 23 Oct 2015 17:58:35 +0000"  >&lt;p&gt;Yeah I absolutely see the value in what you are proposing.&lt;/p&gt;

&lt;p&gt;For now, our stance is to error on the side of security in ambiguous situations like setting ssl_opts but forgetting to set &quot;?ssl=true&quot; in the connection string.&lt;br/&gt;
It is to easy for users to accidentally miss adding that &quot;?ssl=true&quot; option, and since setting the ssl_opts() didn&apos;t issue any warning about the connection not being ssl... they might never be any wiser as everything appears to be working just fine.&lt;/p&gt;

&lt;p&gt;We should think about doing something like &quot;mongoc_ssl_set_default_opts ()&quot; which would be used by default when ?ssl=true is provided. I think such name is clearer that &quot;if ssl opts are needed, use these&quot; rather then the current &quot;use these ssl_opts for this mongoc_client&quot; like mongoc_client_set_ssl_opts() implies.&lt;/p&gt;</comment>
                            <comment id="1068830" author="jeroenooms" created="Fri, 23 Oct 2015 11:06:13 +0000"  >&lt;p&gt;OK I took your advise, so that solves the problem for me. You can close the issue if you&apos;d like.&lt;/p&gt;

&lt;p&gt;However I am still not 100% convinced it is irrational to set general options on a client handle (cert store, etc), even if you are unsure if the user is actually going to connect to an ssl server. In libcurl we always first set the options on the client handle which the user can use for connecting to one or more http and/or https servers.&lt;/p&gt;

&lt;p&gt;Suppose that at some point you want to add a feature which allows certain SSL options to be set at runtime via an environment variable. This is quite nice because it requires no effort from the driver implementations to expose bindings for each option. For example libcurl will pick up the CURL_CA_BUNDLE variable, regardless of which language you are using. &lt;/p&gt;

&lt;p&gt;However with your current logic such a feature would be annoying because mongoc would limit itself to only ssl connections if such an environment variable happens to be set in the process, which is probably not what we want.&lt;/p&gt;
</comment>
                            <comment id="1061819" author="bjori" created="Thu, 15 Oct 2015 17:12:11 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=Jeroenooms&quot; class=&quot;user-hover&quot; rel=&quot;Jeroenooms&quot;&gt;Jeroenooms&lt;/a&gt; But you actually &lt;em&gt;set&lt;/em&gt; the ssl_opts on the &lt;em&gt;client&lt;/em&gt; you are using.&lt;/p&gt;

&lt;p&gt;Its not only a global context you can apply to a client, but you actually do assign it to the client with mongoc_client_set_ssl_opts().&lt;/p&gt;

&lt;p&gt;I would recommend you instead do:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: #006699; font-weight: bold; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;if&lt;/span&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt; (mongoc_uri_get_ssl (mongoc_client_get_uri(client))) {&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;    mongoc_client_set_ssl_opts (....);&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;}&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;rather then unconditionally apply the ssl_opts to the client.&lt;/p&gt;

&lt;p&gt;This becomes a bit clunky when you are doing connection pooling though as individual client could oddly enough be (re)constructed with whatever settings that are later set due to the fact its not immutable &amp;#8211; and therefore has no mongoc_client_pool_get_uri ().. But this is how I would recommend achieve this effect.&lt;/p&gt;</comment>
                            <comment id="1061326" author="jeroenooms" created="Thu, 15 Oct 2015 11:20:37 +0000"  >&lt;p&gt;FWIW, my expectation as a developer was that this would work similar to a http client, with &lt;b&gt;mongoc_client_set_ssl_opts&lt;/b&gt; defining global system options such as the location of the cert store. I was under the impression that only the URL controls whether SSL is used for a given server or not. Just like a browser or libcurl support both &lt;b&gt;http&lt;/b&gt; and &lt;b&gt;https&lt;/b&gt; urls, even though ssl has been configured.&lt;/p&gt;

&lt;p&gt;I think it is unexpected that configuring global SSL options would actually limit the client to SSL servers.&lt;/p&gt;

&lt;p&gt;What I am trying to design is a client that has proper SSL support, and which will support both SSL and non-SSL connections. Just like browser with SSL support will let the user enter both http and https urls.&lt;/p&gt;</comment>
                            <comment id="1060812" author="jesse" created="Wed, 14 Oct 2015 20:17:08 +0000"  >&lt;p&gt;To complete this ticket, first do &lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-935&quot; title=&quot;mongoc_client_set_ssl_opts should require SSL&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-935&quot;&gt;&lt;del&gt;CDRIVER-935&lt;/del&gt;&lt;/a&gt;, then update the changelog, examples, tutorial, and all SSL docs to clarify new behavior of mongoc_client_set_ssl_opts.&lt;/p&gt;</comment>
                            <comment id="1060787" author="jesse" created="Wed, 14 Oct 2015 19:48:26 +0000"  >&lt;p&gt;That&apos;s not quite the bug; in 1.1 (and all prior versions with any SSL support) if &quot;ssl=true&quot; is not in the client&apos;s URI then it &lt;b&gt;requires&lt;/b&gt; a plain-text connection, regardless of whether you call mongoc_client_set_ssl_opts:&lt;/p&gt;

&lt;div class=&apos;table-wrap&apos;&gt;
&lt;table class=&apos;confluenceTable&apos;&gt;&lt;tbody&gt;
&lt;tr&gt;
&lt;th class=&apos;confluenceTh&apos;&gt;&quot;ssl=true&quot;&lt;/th&gt;
&lt;th class=&apos;confluenceTh&apos;&gt;mongoc_client_set_ssl_opts&lt;/th&gt;
&lt;th class=&apos;confluenceTh&apos;&gt;1.1.11&lt;/th&gt;
&lt;th class=&apos;confluenceTh&apos;&gt;1.2&lt;/th&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;requires plain-text connection&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;requires plain-text connection&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;yes&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;&lt;b&gt;requires plain-text connection&lt;/b&gt;&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;requires SSL&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;yes&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;no&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;requires SSL&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;requires SSL&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;yes&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;yes&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;requires SSL&lt;/td&gt;
&lt;td class=&apos;confluenceTd&apos;&gt;requires SSL&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;&lt;/table&gt;
&lt;/div&gt;
</comment>
                            <comment id="1060449" author="bjori" created="Wed, 14 Oct 2015 15:58:49 +0000"  >&lt;p&gt;Interesting. On one hand you are supposed to provide &quot;ssl=true&quot; in the connection string to enable SSL.&lt;br/&gt;
Setting ssl options is a weird thing to do without actually enabling ssl. Setting them should implicitly enable SSL (as it does in 1.1 and 1.2).&lt;/p&gt;


&lt;p&gt;Once SSL is enabled, then SSL is enabled. We will not allow you to think you are connecting to a SSL enabled server, when in fact it isn&apos;t.&lt;/p&gt;

&lt;p&gt;I have reproduced this like you mentioned in 1.1 and that is a severe bug that has now been fixed in 1.2.&lt;/p&gt;

&lt;p&gt;There is a compiler error in the connect.c example you linked so will that - but we won&apos;t be changing setting SSL options to &quot;maybe, if its cool with you server, lets chat SSL - otherwise, you know, I&apos;m fine with clear text&quot;.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                        <issuelink>
            <issuekey id="234379">CDRIVER-935</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="170775">CDRIVER-467</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="381675">CDRIVER-2153</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsdoxb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="760">C Driver 2015Q2 sprint 9</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>