WIP Add support for native SecureTransport on OS X #170
Conversation
samantharitter
changed the title
|
I'm not very good with makefile, so I gave up to compile my fork with it (and it was not my priority). I will have a look at those tests, when I will have time. Is there any variables to get SecureTransport into mongo-c-driver? Or is it the default implementation? I'm glad to see differences between my fork and 10gen, getting reduced. :) |
|
Thank you! I'm curious to see if this will work for you, I'm new to using this library and there's probably some glue that I've missed here. I'm glad we're going to take some of your changes! Right now, the steps to build and run the tests would be: I'll integrate the CFLAGS into the makefile, and we may try to guess when you'd want to use SecureTransport over OpenSSL, but for now both have to be passed in deliberately. |
|
I never used SSL before doing that for mongodb :) |
|
Well, I will wait until this pull request is merged into master. |
|
Hi Jerome, sadly this can't be merged into master until it passes our tests. I'm still working on fixing it up, but I was wondering if you were able to run the tests on your own branch running apple TLS? |
|
I found the issue. How can I proceed? Should I do a pull request in your fork? |
|
Thanks for taking a look! What was the issue? I suppose you could either open a pull request against my fork, or just explain the fix here and I'll update this branch. Thanks again 👍 |
|
The problem is in mongoc_ssl_apple_cfdata_from_filename() If you want to load like : https://github.com/samantharitter/mongo-c-driver/blob/CDRIVER-520/tests/certificates/client.pem You have to find only the certificate (with "BEGIN CERTIFICATE" and "END CERTIFICATE"), then you have to decode the base64 data. And only after you can create the CFDataRef and give it to SecCertificateCreateWithData(). After, you will have to use SecCertificateCopyValues(), and search for the key : "2.16.840.1.113741.2.1.1.1.8", and recreate the string by going through all the values. Let me know how it goes for you. |
|
Ah interesting, I hadn't realized that SecCertificateCreateWithData did not also parse out the values. Yes, definitely, thanks! |
|
Yes, that's weird to have no error and get an instance after calling SecCertificateCreateWithData(). I had hard time to find out that part... |
|
Any update on that PR? |
|
Sorry for the lack of progress on this; see https://jira.mongodb.org/browse/CDRIVER-520. |
|
Sorry for the lack of updates here, it's very important to us and we do still plan to merge this work. Thanks for putting in the effort! The roadmap is roughly this: 1.2 will be out in a couple weeks with big performance and reliability wins for connecting to replica sets and mongoses. 1.3 will be out in a couple months with features to support MongoDB 3.2. 1.4 will be out early next year: its top priority is to support for native TLS on Mac and Windows, building on the work contributed to us so far. |
|
Native Secure Transport implementation has been merged to master and will be released with 1.4.0. |
|
Thanks @samantharitter for a huge contribution |
First attempt at adding support for SecureTransport on OS X, to offer a configure option beyond OpenSSL.
Thanks @jeromelebel for the original implementation! I actually have some questions for you. On my machine I am not able to make our tests pass using SecureTransport. We fail whenever we try to extract the subject of a test certificate. So, neither SecCertificateCopySubjectSummary, SecCertificateCopyLongDescription, or SecCertificateCopyCommonName can succeed in getting information out. SecCertificateCopyCommonName in particular fails with an error code of -25257, "Unknown format in import". Did you run into this issue with your branch? Were you able to successfully run the test suite?