CDRIVER-6071 replace build-and-test-with-toolchain with openssl-compat #2082
Conversation
Per this patch build, zSeries no-SASL succeeds, but zSeries SASL fails during the "Authenticating using GSSAPI" test with: |
There was a problem hiding this comment.
The script clean-ups and test coverage improvements are much appreciated.
The
tlsDisableOCSPEndpointCheckURI option is rejected by both Secure Transport (darwinssl) and Secure Channel (winssl), but neither of these behaviors seems to be publically documented.
Later sections on Configure Transport Layer Security (TLS) note:
Setting
tlsDisableOCSPEndpointCheckhas no effect.
.evergreen/scripts/run-auth-tests.sh
Outdated
|
|
||
| if [[ "${sasl}" != "OFF" ]]; then | ||
| echo "Authenticating using GSSAPI" | ||
| LD_LIBRARY_PATH="${openssl_lib_prefix}" maybe_skip "${ping}" "mongodb://${auth_gssapi:?}@${auth_host}/?authMechanism=GSSAPI&${c_timeout}" | ||
| "${mongoc_ping:?}" "mongodb://${auth_gssapi:?}@${auth_host:?}/?authMechanism=GSSAPI&${c_timeout:?}" |
There was a problem hiding this comment.
CDRIVER-5990 unskip auth tests on zSeries
Per this patch build, zSeries no-SASL succeeds, but zSeries SASL fails during the "Authenticating using GSSAPI" test with:
ERROR: cluster: Authentication failed: SASL Failure: (-1): generic failure Ping failure: SASL Failure: (-1): generic failure
I would rather keep the maybe_skip on for zSeries, and leave CDRIVER-5990 unresolved for a further look. I suspect the failure environment related (I don't think GSSAPI code has changed recently).
There was a problem hiding this comment.
Reverted as suggested.
| # Download the requested OpenSSL version into `openssl-<version>`. | ||
| openssl_download() { | ||
| declare version | ||
| version="${1:?"usage: openssl_download_checksum <version>"}" |
There was a problem hiding this comment.
| version="${1:?"usage: openssl_download_checksum <version>"}" | |
| version="${1:?"usage: openssl_download <version>"}" |
.evergreen/scripts/run-ocsp-test.sh
Outdated
| if [[ -d "${openssl_install_dir:?}/lib64" ]]; then | ||
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${LD_LIBRARY_PATH:-}" | ||
| DYLD_LIBRARY_PATH="${mongoc_build_dir:?}/src/libmongoc" | ||
| else | ||
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${LD_LIBRARY_PATH:-}" | ||
| DYLD_LIBRARY_PATH="${mongoc_build_dir:?}/src/libbson" | ||
| fi |
There was a problem hiding this comment.
Fix DYLD_LIBRARY_PATH overwrites:
| if [[ -d "${openssl_install_dir:?}/lib64" ]]; then | |
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${LD_LIBRARY_PATH:-}" | |
| DYLD_LIBRARY_PATH="${mongoc_build_dir:?}/src/libmongoc" | |
| else | |
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${LD_LIBRARY_PATH:-}" | |
| DYLD_LIBRARY_PATH="${mongoc_build_dir:?}/src/libbson" | |
| fi | |
| if [[ -d "${openssl_install_dir:?}/lib64" ]]; then | |
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${LD_LIBRARY_PATH:-}" | |
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${DYLD_LIBRARY_PATH:-}" | |
| else | |
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${LD_LIBRARY_PATH:-}" | |
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${DYLD_LIBRARY_PATH:-}" | |
| fi |
| CMAKE_BUILD_PARALLEL_LEVEL="$(nproc)" | ||
|
|
||
| # libmongocrypt must use the same OpenSSL library. | ||
| echo "Installing libmongocrypt..." |
There was a problem hiding this comment.
Minor: Consider reusing compile-libmongocrypt.sh and passing the extra openssl_cmake_flags as extra arguments to ``compile_libmongocrypt` to avoid needing to update another location when updating libmongocrypt.
There was a problem hiding this comment.
Done. Extended compile-libmongocrypt.sh to support additional arguments which are treated as extra CMake flags.
| # Why does this fail with Secure Transport (CSSMERR_TP_CERT_SUSPENDED)...? | ||
| prohibit(self.test == "TEST_3") | ||
|
|
||
| # Secure Transport (mongoc-stream-tls-secure-transport.c:_verify_peer) does not implement soft failure. |
There was a problem hiding this comment.
| # Secure Transport (mongoc-stream-tls-secure-transport.c:_verify_peer) does not implement soft failure. | |
| # TODO(CDRIVER-3759) Secure Transport fails soft failure test. |
IIRC "soft-fail" behavior was only assumed after manual testing, and was assumed to be enabled with kSecRevocationOCSPMethod. Quoting https://mongodbcr.appspot.com/547790001/:
I can at least validate it is contacted (and then a soft-fail occurs)
But maybe the test failures suggest otherwise. I think investigating can be done as part of CDRIVER-3759.
This reverts commit ad45ce9.
.evergreen/scripts/run-ocsp-test.sh
Outdated
| if [[ -d "${openssl_install_dir:?}" ]]; then | ||
| if [[ -d "${openssl_install_dir:?}/lib64" ]]; then | ||
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${LD_LIBRARY_PATH:-}" | ||
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${LD_LIBRARY_PATH:-}" |
There was a problem hiding this comment.
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${LD_LIBRARY_PATH:-}" | |
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${DYLD_LIBRARY_PATH:-}" |
.evergreen/scripts/run-ocsp-test.sh
Outdated
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib64:${LD_LIBRARY_PATH:-}" | ||
| else | ||
| LD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${LD_LIBRARY_PATH:-}" | ||
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${LD_LIBRARY_PATH:-}" |
There was a problem hiding this comment.
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${LD_LIBRARY_PATH:-}" | |
| DYLD_LIBRARY_PATH="${openssl_install_dir:?}/lib:${DYLD_LIBRARY_PATH:-}" |
Resolves CDRIVER-6071. Removes dependency on the legacy C toolchain project by replacing the
build-and-test-with-toolchaintask (which began inexplicably failing since 2025-07-17; did the artifact expire?) with a newopenssl-compatmatrix.Historically, the legacy C toolchain project was meant to test both SSL library compatibility and build tool minimum requirements, as currently documented by its README:
However, its purpose has long been made obsolete or superseded by better alternatives. Support for LibreSSL was dropped in CDRIVER-5693. Boost is irrelevant (C++ Driver doesn't support it since CXX-2797, nor does it use the legacy C toolchain anyways). The minimum required CMake version was raised to 3.15 in CDRIVER-4637 (a new branch as created by https://github.com/10gen/mongo-c-toolchain/pull/2 to support this new requirement); this can easily be replaced with a
cmake-compatmatrix (+ soon powered byuvx cmakeinstead offind-cmake-latest.sh). The legacy C toolchain also provides zstd, but AFAICT we do not actually test this minimum zstd compatibility requirement, or any other external library dependency's minimum version requirements (we can consider adding additional tasks to accomplish this if needed).Therefore, the only value (that was) being provided by the
build-and-test-with-toolchaintask is OpenSSL library compatibility checks, which is worth preserving given the wide variety of OpenSSL library versions across platforms and distros. This PR proposes preserving and refining this compatibility coverage as the newopenssl-compatmatrix.First, it is important to note, per OpenSSL docs:
The versions "present above" are currently 3.0 through 3.5. This means we can/should drop compatibility coverage for any version older than 3.0 that is not either 1.0.2 and 1.1.1. Relative to the legacy C toolchain, this means dropping 0.9.8, 1.0.1, and 1.1.0.
Note
The results of an EVG distro survey on 2025-08-05 report the following distros which are currently used by the C Driver that do not have provide OpenSSL v3 or newer via default system packages:
amazon2-arm64-latest: 1.0.2k FIPSdebian-11: 1.1.1nrhel7-latest: 1.0.2k FIPSrhel8-latest: 1.1.1k FIPSrhel8-power: 1.1.1k FIPSrhel8-zseries: 1.1.1k FIPSrhel80: 1.1.1 FIPSrhel84: 1.1.1g FIPSrhel94: 1.1.1g FIPSubuntu2004: 1.1.1fubuntu2004-arm64: 1.1.1fThese results support the argument for compatibility-checking pre-v3 OpenSSL versions 1.0.2 and 1.1.1 only.
Furthermore, per docs:
Given we have plenty of OpenSSL coverage with other compile-and-test matrices, I believe we do not need to extend compatibility checks for pre-v3 OpenSSL versions more than we already have. That being said, all "special" OpenSSL-related tasks have been relocated from their prior build variants into the
openssl-compatmatrix: all remaining-openssltasks simply use the system-provided OpenSSL library as-is without any special steps.That being said, even though some system-provided OpenSSL libraries are FIPS-validated, this doesn't necessarily mean the FIPS module is enabled and used by default. Therefore, the
openssl-compatmatrix includes a few custom OpenSSL installations that do set the appropriateopenssl.cnfproperties to use the FIPS module by default. (That being said, does mongoc even use the FIPS module programmatically at all?) For now, only 3.0.9 and 3.1.2 are used for FIPS 140-2 and FIPS 140-3 coverage respectively (each being the latest patch release for its minor version series).Important
This PR deliberately drops OpenSSL FIPS Object Module 2.0 integration checks. OpenSSL 3.0.9 already provides FIPS 140-2 compliance coverage. Per Wikipedia, "The FIPS Object Module 2.0 remained FIPS 140-2 validated in several formats until September 1, 2020, when NIST ... designated all non-compliant modules as 'Historical'. This designation includes a caution to federal agencies that they should not include the module in any new procurements." Aside from the distros listed in the survey above which provide FIPS support, I do not think we need to go out of our way to test this any longer.
The Ubuntu 24.04 distro is selected for the
openssl-compatmatrix primarily to avoid complications with registering trusted certificates with the custom OpenSSL installation on RHEL or Arch Linux (no special handling seems to be required on Ubuntu). RHEL is also complicated due to backports ofEVP_KDF_*functions into their OpenSSL 1.1.1 package and depending on it (e.g. bylibk5crypto.so.3). Since the goal of this matrix is OpenSSL version compatibility checks, platform-specific OpenSSL compatibility is deferred to other existing-openssltasks.The
openssl-compatmatrix tasks also call therun-auth-tests.shscript via therun auth testsEVG command to extend compatibility checks to runtime behavior, not just compile-time compatibility as is the case forbuild-and-test-with-toolchain. This should hopefully allow us to detect issues like CDRIVER-5998 a bit better than before.Numerous fixes and improvements are made to authentication-related tasks and scripts:
authentication-*andocsp-*task failures due to updated CMake binary directory paths.test-aws-*scripts for consistency.atlas_x509_*Evergreen project variables required byrun-auth-tests.shhave been moved into the EVG project repository settings so they are inherited by ther2.1release branch.tlsDisableOCSPEndpointCheckURI option is rejected by both Secure Transport (darwinssl) and Secure Channel (winssl), but neither of these behaviors seems to be publically documented.