Atlas is likely to start offering a TLS 1.2 only mode. This isn't possible with the system openssl on macosx or the openssl with suse11 (or RHEL 5.5). As the openssl wrapper is needed for FIPS support and we don't support FIPS on older versions of openssl anyway, we should implement a Go-native TLS dialer on platforms with 0.9.x.
We can identify ones that have 'openssl_pre_1.0' as a Go build tag – which we're already asking for in SERVER-32922 for the wrapper. After this change, that build tag will turn off the wrapper and turn on the Go-native TLS dialer.
The Go-native TLS dialer can likely be adapted from the one that exists for the new Go driver.
- causes
-
TOOLS-2587 sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely
- Closed
- is depended on by
-
TOOLS-1982 Automate testing TLS 1.1 or 1.2 connections on all platforms
- Closed
- related to
-
SERVER-32922 Evergreen Go tooltags need 'openssl_pre_1.0' on variants with openssl 0.9.x
- Closed
-
SERVER-34742 Stop running ssl_cert_password.js on OS X
- Closed