Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-520

Add support for native TLS on OSX (Secure Transport)

    • Type: Icon: New Feature New Feature
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.4.0
    • Affects Version/s: 1.1.0
    • Component/s: libmongoc, tls
    • None

      To enable: ./configure --enable-ssl=darwin

      Note that by default --enable-ssl still prefers OpenSSL, if availble. This is for backwards compatibility reasons of existing expectations.

      This implementation uses the OpenSSL traditional PEM file, and
      implements most of the currently supported mongoc_ssl_opt_t options.
      The certificates are never imported or loaded into the the keychain.
      They are simply read on-demand and transformed into Secure Transport
      supported format using SecItemImport.

      Note that the configured certificates are expected to be available
      and valid during the lifetime of the session. This is consistent
      with the OpenSSL implementation and expectations.

      Certificate Authority checks:
      If mongoc_ssl_opt_t.ca_file is provided the server certificate
      MUST be issued by that Certificate Authority. When no .ca_file
      is provided, we'll verify the server certificate against the
      default (and additionally currently open) keychains. This makes
      it unnecessary to provide the .ca_file for commercially bought
      certificates, while at the same time - if you do want to
      guarantee that the certificate is only issued by that specific
      CA you can do so.

      Providing client certificates:
      mongoc_ssl_opt_t.pem_file can be configured to point at a client
      PEM file, containing both the private key and public key
      certificates. Optionally, mongoc_ssl_opt_t.pem_pwd can be
      configured with the passphrase if the private key is passphrase
      protected.

      X.509 Authentication username extraction:
      As with the OpenSSL implementation, the RFC2253 formatted
      certificate subject name is extracted from the certificate.
      This makes providing the username for X.509 authentication
      optional.

      Notable differences to OpenSSL:
      mongoc_ssl_opt_t.ca_dir will ERROR if set.
      mongoc_ssl_opt_t.crl_file will ERROR if set.

      There is no such concept as ca_dir in Darwin Secure Transport. The closest would be which Keychain.
      All certificate evaluation are configured by your trust settings. Revoking a certificate must be done through the keychain.

      — Original ticket

      We offer TLS support on OSX via openssl, but it'd be a better fit to offer native support through the OS.

      It looks like some work has already been done, albeit on a fork that can't easily be PR'd anymore. See if that's a good base to work from:

      https://github.com/jeromelebel/mongo-c-driver/blob/master/src/mongoc/mongoc-stream-apple-tls.c

      The work to take this over the line would be to port that stream implementation and whatever ifdefs he added in stream initiation in mongoc_client_new

            Assignee:
            bjori Hannes Magnusson
            Reporter:
            mira.carey@mongodb.com Mira Carey
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: