-
Type: New Feature
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: 1.1.0
-
None
To enable: ./configure --enable-ssl=darwin
Note that by default --enable-ssl still prefers OpenSSL, if availble. This is for backwards compatibility reasons of existing expectations.
This implementation uses the OpenSSL traditional PEM file, and
implements most of the currently supported mongoc_ssl_opt_t options.
The certificates are never imported or loaded into the the keychain.
They are simply read on-demand and transformed into Secure Transport
supported format using SecItemImport.
Note that the configured certificates are expected to be available
and valid during the lifetime of the session. This is consistent
with the OpenSSL implementation and expectations.
Certificate Authority checks:
If mongoc_ssl_opt_t.ca_file is provided the server certificate
MUST be issued by that Certificate Authority. When no .ca_file
is provided, we'll verify the server certificate against the
default (and additionally currently open) keychains. This makes
it unnecessary to provide the .ca_file for commercially bought
certificates, while at the same time - if you do want to
guarantee that the certificate is only issued by that specific
CA you can do so.
Providing client certificates:
mongoc_ssl_opt_t.pem_file can be configured to point at a client
PEM file, containing both the private key and public key
certificates. Optionally, mongoc_ssl_opt_t.pem_pwd can be
configured with the passphrase if the private key is passphrase
protected.
X.509 Authentication username extraction:
As with the OpenSSL implementation, the RFC2253 formatted
certificate subject name is extracted from the certificate.
This makes providing the username for X.509 authentication
optional.
Notable differences to OpenSSL:
mongoc_ssl_opt_t.ca_dir will ERROR if set.
mongoc_ssl_opt_t.crl_file will ERROR if set.
There is no such concept as ca_dir in Darwin Secure Transport. The closest would be which Keychain.
All certificate evaluation are configured by your trust settings. Revoking a certificate must be done through the keychain.
— Original ticket
We offer TLS support on OSX via openssl, but it'd be a better fit to offer native support through the OS.
It looks like some work has already been done, albeit on a fork that can't easily be PR'd anymore. See if that's a good base to work from:
https://github.com/jeromelebel/mongo-c-driver/blob/master/src/mongoc/mongoc-stream-apple-tls.c
The work to take this over the line would be to port that stream implementation and whatever ifdefs he added in stream initiation in mongoc_client_new
- is related to
-
CDRIVER-737 SCRAM-SHA-1 should not depend on openssl
- Closed
- related to
-
CDRIVER-941 'openssl/bio.h' not found on OS X 10.11
- Closed
-
CDRIVER-974 -Wno-deprecated-declarations not support on all compilers
- Closed
-
CDRIVER-1148 /Async/ismaster_ssl fails on Darwin Native SSL
- Closed
-
CDRIVER-1162 mongoc-stream-tls-private.h is broken on master
- Closed
-
CDRIVER-1166 CMake option to build with native TLS on OSX (Secure Transport)
- Closed
-
CDRIVER-5576 Remove unconditional -Wno-deprecated-declarations for Apple platforms
- Backlog
-
CDRIVER-1147 Use SSL_shutdown on OpenSSL connections?
- Closed
-
CDRIVER-2700 Can we remove -Wno-deprecated-declarations on Apple?
- Closed
-
CDRIVER-1106 OSX + Secure Transport Build variant in Evergreen
- Closed
-
CDRIVER-1122 Don't just fork(), exec(), in the test suite
- Closed
-
CDRIVER-1146 SecIdentityCreate research
- Closed
-
CDRIVER-1169 SSLSetCertificateAuthorities fails, while SSLSetTrustedRoots works
- Closed