Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-4219

AWS KMS SSL connection is not configurable

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Blocker - P1 Blocker - P1
    • None
    • Affects Version/s: None
    • Component/s: libmongoc
    • None

      When attempting to use client-side field level encryption by means of an AWS KMS, I run into the error: 
      TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

      The Enterprise MongoDB server I am connecting to is version 5.0.3 and does not require an SSL configuration in the connection. 

      I have tracked my error down to an inability to set the CA file for the SSL connection to the AWS KMS. In the file "mongo-c-driver-1.19.0/src/libmongoc/src/mongoc/mongoc-crypt.c" there is a _get_stream function whose variable ssl_opts of the type mongoc_ssl_opt_t is filled in with NULL values through the function mongoc_ssl_opt_get_default. I was able to resolve my issue and load and unload encrypted fields successfully by compiling a version of the C driver in which I used _mongoc_getenv to pass in a string that I assigned to the ca_file value of ssl_opts. 

      If there is a manner of configuring this SSL connection, I have not found the documentation for it nor a code path that assigns values given by the user. 

       

            Assignee:
            kevin.albertson@mongodb.com Kevin Albertson
            Reporter:
            mpiazza@abinitio.com Matthew Piazza
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: