Improve TLS documentations

bjori · ajdavis · commit 732f18b45c7c · 2016-08-10T13:51:29.000-04:00
diff --git a/doc/mongoc_advanced_connections.page b/doc/mongoc_advanced_connections.page
@@ -98,28 +98,28 @@ main (int   argc,
    
   <section id="SSL">
     <info><link type="guide" xref="index#advanced-connections" /></info>
-    <title>Connecting to a server that requires SSL</title> 
-<p>These are instructions for configuring TLS/SSL connections.</p>
+    <title>Connecting to a server over SSL</title>
+    <p>These are instructions for configuring TLS/SSL connections.</p>
    <listing> 
    <title>Basic Configuration</title>
     <p>To run a server locally (on port 27017, for example):</p>
     <screen><code>$ mongod --port 27017 --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem </code></screen>
     <p>Add <code>/?ssl=true</code> to the end of a client URI.</p>
     <screen><code>mongoc_client_t *client = NULL;
 client = mongoc_client_new ("mongodb://localhost:27017/?ssl=true");</code></screen></listing>
-   <listing><title>Specifying Client Certificates and CA Files</title>
-   <p>The C Driver can be configured to present a client certificate using a <code>mongoc_ssl_opt_t</code>:</p>
+   <listing><title>Specifying Client Certificate</title>
+   <p>MongoDB requires client certificates by default, unless the <code>--sslAllowConnectionsWithoutCertificates</code> is provided. The C Driver can be configured to present a client certificate using a <code>mongoc_ssl_opt_t</code>:</p>
 <screen><code>const mongoc_ssl_opt_t *ssl_default = mongoc_ssl_opt_get_default ();
 mongoc_ssl_opts_t ssl_opts = { 0 };
-mongoc_client_t client = mongoc_client_new ("mongodb://localhost:27017/?ssl=true");
 
 /* optionally copy in a custom trust directory or file; otherwise the default is used. */
 memcpy (&amp;ssl_opts, ssl_default, sizeof ssl_opts);
 ssl_opts.pem_file = "client.pem" 
-ssl_opts.ca_file = "ca.pem" 
-ssl_weak.weak_cert_validation = false; 
 
-mongoc_client_set_ssl_opts (client, &amp;ssl_opts);</code></screen></listing>
+mongoc_client_set_ssl_opts (client, &amp;ssl_opts);</code></screen></listing>.
+<p>The client certificate provided by <code>pem_file</code> must be issued by one of the server trusted Certificate Authorities listed in <code>--sslCAFile</code>, or issued by a CA in the native certificate store on the server when omitted.</p>
+<p>To verify the server certificate against a specific CA, provide a PEM armored file with a CA certificate, or contatinated list of CA certificates using the <code>ca_file</code> option, or <code>c_rehash</code> directory structure of CAs, pointed to using the <code>ca_dir</code> option. When no <code>ca_file</code> or <code>ca_dir</code> is provided, the driver will use CAs provided by the native platform certificate store.</p>
+    <p>See <link type="seealso" xref="mongoc_ssl_opt_t"><code>mongoc_ssl_opt_t</code></link> for more information on the various SSL related options.</p>
   </section>
 
 
diff --git a/doc/mongoc_client_pool_set_ssl_opts.page b/doc/mongoc_client_pool_set_ssl_opts.page
@@ -19,7 +19,7 @@ mongoc_client_pool_set_ssl_opts (mongoc_client_pool_t   *pool,
 #endif]]></code></synopsis>
     <p>This function is identical to <code xref="mongoc_client_set_ssl_opts">mongoc_client_set_ssl_opts()</code> except for client pools. It ensures that all clients retrieved from <code xref="mongoc_client_pool_pop">mongoc_client_pool_pop()</code> or <code xref="mongoc_client_pool_try_pop">mongoc_client_pool_try_pop()</code> are configured with the same SSL settings.</p>
     <p>It is a programming error to call this function after retrieving a client from the client pool.</p>
-    <p>Beginning in version 1.2.0, once a pool has any SSL options set, all connections use SSL, even if "ssl=true" is omitted from the MongoDB URI. Before, SSL options were ignored unless "ssl=true" was included in the URI.</p>
+    <p>Beginning in version 1.2.0, once a pool has any SSL options set, all connections use SSL, even if <code>ssl=true</code> is omitted from the MongoDB URI. Before, SSL options were ignored unless <code>ssl=true</code> was included in the URI.</p>
   </section>
 
   <section id="parameters">
diff --git a/doc/mongoc_client_set_ssl_opts.page b/doc/mongoc_client_set_ssl_opts.page
@@ -17,7 +17,7 @@ mongoc_client_set_ssl_opts (mongoc_client_t        *client,
                             const mongoc_ssl_opt_t *opts);
 #endif]]></code></synopsis>
     <p>Sets the SSL options to use when connecting to SSL enabled MongoDB servers.</p>
-    <p>Beginning in version 1.2.0, once a client has any SSL options set, all connections use SSL, even if "ssl=true" is omitted from the MongoDB URI. Before, SSL options were ignored unless "ssl=true" was included in the URI.</p>
+    <p>Beginning in version 1.2.0, once a client has any SSL options set, all connections use SSL, even if <code>ssl=true</code> is omitted from the MongoDB URI. Before, SSL options were ignored unless <code>ssl=true</code> was included in the URI.</p>
     <p>The <code>mongoc_ssl_opt_t</code> struct is copied by the client along with the strings it points to (<code>pem_file</code>, <code>pem_pwd</code>, <code>ca_file</code>, <code>ca_dir</code>, and <code>crl_file</code>) so they don't have to remain valid after the call to <code>mongoc_client_set_ssl_opts</code>.</p>
     <p>It is a programming error to call this function on a client from a <code xref="mongoc_client_pool_t">mongoc_client_pool_t</code>. Instead, call <code xref="mongoc_client_pool_set_ssl_opts">mongoc_client_pool_set_ssl_opts</code> on the pool before popping any clients.</p>
   </section>
diff --git a/doc/mongoc_installing.page.in b/doc/mongoc_installing.page.in
@@ -11,8 +11,7 @@
 
     <title>Supported Platforms</title>
 
-    <p>The MongoDB C Driver is continuously tested on GNU/Linux, Windows 7, Mac OS X 10.10, and Solaris 11 (Intel and Sparc), with GCC, Clang, and Visual Studio 2010, 2013, and 2015.</p>
-    <p>The driver supports the following operating systems and CPU architectures:</p>
+    <p>The MongoDB C Driver is <link href="https://evergreen.mongodb.com/waterfall/mongo-c-driver">continuously tested</link> on variety of platforms including:</p>
 
     <table>
       <tr>
@@ -24,10 +23,9 @@
         <td>
           <list>
             <item><p>GNU/Linux</p></item>
-            <item><p>Solaris 11</p></item>
-            <item><p>Mac OS X 10.6 and newer</p></item>
-            <item><p>Windows Vista, 7, and 8</p></item>
-            <item><p>FreeBSD</p></item>
+            <item><p>Solaris</p></item>
+            <item><p>Mac OS X</p></item>
+            <item><p>Microsoft Windows</p></item>
           </list>
         </td>
         <td>
@@ -36,6 +34,9 @@
             <item><p>ARM</p></item>
             <item><p>PPC</p></item>
             <item><p>SPARC</p></item>
+            <item><p>aarch64</p></item>
+            <item><p>s390x</p></item>
+            <item><p>ppc64le</p></item>
           </list>
         </td>
         <td>
@@ -50,6 +51,8 @@
       </tr>
     </table>
 
+    <p>The driver is also known to work on FreeBSD, and should work on any POSIX compatible platform with a working c89 (or later) compiler.</p>
+
   </section>
 
   <section id="package-manager">
@@ -158,6 +161,23 @@ $ export LDFLAGS="-L/usr/local/opt/openssl/lib"
 $ export CPPFLAGS="-I/usr/local/opt/openssl/include"</screen>
       </section>
     </section>
+    <section id="nativetls-macos">
+      <title>Native TLS Support on Mac OS X / Darwin (Secure Transport)</title>
+      <p>
+	The MongoDB C Driver supports the Darwin native TLS and crypto libraries.
+	Using the native libraries there is no need to install OpenSSL. By
+	default however, the driver will compile against OpenSSL if it
+	detects it being available. If OpenSSL is not available, it will
+	fallback on the native libraries.
+      </p>
+      <p>
+	To compile against the Darwin native TLS and crypto libraries, even when
+	OpenSSL is available, configure the driver like so:
+      </p>
+      <screen>
+$ ./configure --enable-ssl=darwin
+      </screen>
+    </section>
     <section id="building-osx">
       <title>Building on OS X</title>
       <p>Download the latest release tarball:</p>
@@ -217,7 +237,24 @@ cmake -G "Visual Studio 14 2015 Win64" "-DCMAKE_INSTALL_PREFIX=C:\mongo-c-driver
 msbuild.exe ALL_BUILD.vcxproj
 msbuild.exe INSTALL.vcxproj</screen>
 
+
     <p>All of the MongoDB C Driver's components will now be found in <code>C:\mongo-c-driver</code>.</p>
+
+    <section id="nativetls-windows">
+      <title>Native TLS Support on Windows (Secure Channel)</title>
+      <p>
+	The MongoDB C Driver supports the Windows native TLS and crypto libraries.
+	Using the native libraries there is no need to install OpenSSL. By
+	default however, the driver will compile against OpenSSL if it
+	detects it being available. If OpenSSL is not available, it will
+	fallback on the native libraries.
+      </p>
+      <p>
+	To compile against the Windows native TLS and crypto libraries, even when
+	OpenSSL is available, configure the driver like so:
+      </p>
+      <screen>cmake -G "Visual Studio 14 2015 Win64" "-DENABLE_SSL=WINDOWS" "-DCMAKE_INSTALL_PREFIX=C:\mongo-c-driver" "-DBSON_ROOT_DIR=C:\mongo-c-driver"</screen>
+    </section>
   </section>
 
 </page>
diff --git a/doc/mongoc_ssl_opt_t.page b/doc/mongoc_ssl_opt_t.page
@@ -20,15 +20,76 @@
    const char *ca_dir;
    const char *crl_file;
    bool        weak_cert_validation;
-   void       *padding [8];
+   bool        allow_invalid_hostname;
+   void       *padding [7];
 } mongoc_ssl_opt_t;
 ]]></code>
   </section>
 
   <section id="desc">
     <title>Description</title>
     <p>This structure is used to set the SSL options for a <code xref="mongoc_client_t">mongoc_client_t</code> or <code xref="mongoc_client_pool_t">mongoc_client_pool_t</code>.</p>
-    <p>Beginning in version 1.2.0, once a pool or client has any SSL options set, all connections use SSL, even if "ssl=true" is omitted from the MongoDB URI. Before, SSL options were ignored unless "ssl=true" was included in the URI.</p>
+    <p>Beginning in version 1.2.0, once a pool or client has any SSL options set, all connections use SSL, even if <code>ssl=true</code> is omitted from the MongoDB URI. Before, SSL options were ignored unless <code>ssl=true</code> was included in the URI.</p>
+    <p>As of 1.4.0, the <code xref="mongoc_client_pool_set_ssl_opts">mongoc_client_pool_set_ssl_opts</code> and <code xref="mongoc_client_set_ssl_opts">mongoc_client_set_ssl_opts</code> will not only shallow copy the struct, but will also copy the <code>const char*</code>. It is therefore no longer needed to make sure the values remain valid after setting them.</p>.
+  </section>
+
+  <section id="client-authentication">
+    <title>Client Authentication</title>
+    <p>When MongoDB is started with SSL enabled, it will by default require the client o provide a client certificate issued by a certificate authority specified by <code>--sslCAFile</code>, or an authority trusted by the native certificate store in use on the server.</p>
+    <p>To provide the client certificate, the user must configure the <code>pem_file</code> to point at a PEM armored certificate.</p>
+    <screen><code mime="text/x-csrc"><![CDATA[mongoc_ssl_opts_t ssl_opts = { 0 };
+
+ssl_opts.pem_file = "/path/to/client-certificate.pem"
+
+/* Then set the client ssl_opts, when using a single client mongoc_client_t */
+mongoc_client_pool_set_ssl_opts (pool, &ssl_opts);
+/* or, set the pool ssl_opts, when using a the thread safe mongoc_client_pool_t */
+mongoc_client_set_ssl_opts (client, &ssl_opts);]]></code></screen>
+  </section>
+
+  <section id="certificate-verification">
+    <title>Server Certificate Verification</title>
+    <p>The MongoDB C Driver will automatically verify the validity of the server certificate, such as issued by configured Certificate Authority, hostname validation, and expiration.</p>
+    <p>To overwrite this behaviour, it is possible to disable hostname validation, and/or allow otherwise invalid certificates. This behaviour is controlled using the <code>allow_invalid_hostname</code> and <code>weak_cert_validation</code> fields. By default, both are set to <code>false</code>. It is not recommended to change these defaults as it exposes the client to <em>Man In The Middle</em> attacks (when <code>allow_invalid_hostname</code> is set) and otherwise invalid certificates when <code>weak_cert_validation</code> is set to <code>true</code>.</p>
+  </section>
+
+  <section id="nativetls-linux">
+    <title>Native TLS Support on Linux (OpenSSL)</title>
+    <p>The MongoDB C Driver supports the dominating TLS library (OpenSSL) and crypto libraries (OpenSSL's libcrypto) on Linux and Unix platforms.</p>
+    <p>Support for OpenSSL 1.1 and later was added in 1.4.0.</p>
+    <p>When compiled against OpenSSL, the driver will attempt to load the system default certificate store, as configured by the distribution, if the <code>ca_file</code> and <code>ca_dir</code> are not set.</p>
+  </section>
+
+  <section id="nativetls-windows">
+    <title>Native TLS Support on Windows (Secure Channel)</title>
+    <p>The MongoDB C Driver supports the Windows native TLS library (Secure
+      Channel, or SChannel), and its native crypto library (Cryptography API:
+      Next Generation, or CNG).</p>
+    <p>When compiled against the Windows native libraries, the <code>ca_dir</code>
+      option is not supported, and will issue an error if used.</p>
+    <p>Encrypted PEM files (e.g., requiring <code>pem_pwd</code>) are also not
+      supported, and will result in error when attempting to load them.</p>
+    <p>When <code>ca_file</code> is provided, the driver will only allow server
+      certificates issued by the authority (or authorities) provided. When no
+      <code>ca_file</code> is provided, the driver will look up the Certificate
+      Authority using the <sys>System Local Machine Root</sys> certificate
+      store to confirm the provided certificate.</p>
+    <p>When <code>crl_file</code> is provided, the driver will import the
+      revocation list to the <sys>System Local Machine Root</sys> certificate
+      store.</p>
+  </section>
+
+  <section id="nativetls-darwin">
+    <title>Native TLS Support on Mac OS X / Darwin (Secure Transport)</title>
+    <p>The MongoDB C Driver supports the Darwin (OS X, macOS, iOS, etc.) native
+      TLS library (Secure Transport), and its native crypto library (Common
+      Crypto, or CC).</p>
+    <p>When compiled against Secure Transport, the <code>ca_dir</code>
+      option is not supported, and will issue an error if used.</p>
+    <p>When <code>ca_file</code> is provided, the driver will only allow server
+      certificates issued by the authority (or authorities) provided. When no
+      <code>ca_file</code> is provided, the driver will use the Certificate
+      Authorities in the currently unlocked keychains.</p>
   </section>
 
   <links type="topic" groups="function" style="2column">
