CDRIVER-2545 use native TLS by default

The driver now uses Windows or Mac native TLS by default, instead of
searching for OpenSSL. Override with cmake -DENABLE_SSL=OPENSSL.

Author: ajdavis

CMakeLists.txt

@@ -155,8 +155,9 @@ if (NOT ENABLE_SSL MATCHES "DARWIN|WINDOWS|OPENSSL|LIBRESSL|AUTO|OFF")
 endif ()
 
 if (NOT ENABLE_SSL STREQUAL OFF)
-   # If "AUTO", try OpenSSL. In version 2.0 we'll default to "DARWIN" on Mac.
-   if (ENABLE_SSL MATCHES "AUTO|OPENSSL")
+   # Try OpenSSL automatically everywhere but Mac and Windows.
+   if (ENABLE_SSL STREQUAL "OPENSSL"
+       OR (NOT APPLE AND NOT WIN32 AND ENABLE_SSL STREQUAL "AUTO"))
       # Sets OPENSSL_FOUND on success.
       include (FindOpenSSL)
    endif ()
@@ -176,30 +177,22 @@ if (NOT ENABLE_SSL STREQUAL OFF)
       endif ()
    endif ()
 
-   if (ENABLE_SSL STREQUAL DARWIN)
+   if (ENABLE_SSL STREQUAL DARWIN OR (APPLE AND ENABLE_SSL STREQUAL "AUTO"))
       if (APPLE)
          set (SECURE_TRANSPORT 1)
       else ()
          message (FATAL_ERROR "ENABLE_SSL=DARWIN only supported on Mac OS X")
       endif ()
    endif ()
 
-   if (ENABLE_SSL STREQUAL AUTO AND NOT OPENSSL_FOUND AND APPLE)
-      set (SECURE_TRANSPORT 1)
-   endif ()
-
-   if (ENABLE_SSL STREQUAL WINDOWS)
+   if (ENABLE_SSL STREQUAL WINDOWS OR (WIN32 AND ENABLE_SSL STREQUAL "AUTO"))
       if (WIN32)
          set (SECURE_CHANNEL 1)
       else ()
          message (FATAL_ERROR "ENABLE_SSL=WINDOWS only supported on Windows")
       endif ()
    endif ()
 
-   if (ENABLE_SSL STREQUAL AUTO AND NOT OPENSSL_FOUND AND WIN32)
-      set (SECURE_CHANNEL 1)
-   endif ()
-
    if (NOT OPENSSL_FOUND AND NOT SECURE_TRANSPORT AND NOT SECURE_CHANNEL AND NOT LIBRESSL)
       if (ENABLE_SSL STREQUAL AUTO)
          set (ENABLE_SSL OFF)

NEWS

@@ -13,6 +13,10 @@ bugfixes:
   * The internal preprocessor symbol HAVE_STRINGS_H has been renamed
     BSON_HAVE_STRINGS_H. If you maintain a handwritten bson-config.h you must
     rename this symbol.
+  * If CMake is configured with ENABLE_SSL=AUTO (the default), libmongoc now
+    uses native TLS libraries on Mac and Windows, and OpenSSL everywhere else.
+    Before, it would search for OpenSSL on all platforms and only use native
+    TLS on Mac and Windows as a fallback.
   * The driver now handshakes SSL connections to multiple servers in a replica
     set or sharded cluster in parallel, so long as it uses OpenSSL or Windows
     SChannel. (SSL handshakes with Apple's Secure Transport are still serial.)

doc/installing.rst

@@ -190,33 +190,6 @@ Build and install the driver:
   $ make
   $ sudo make install
 
-Native TLS Support on Mac OS X / Darwin (Secure Transport)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The MongoDB C Driver supports the Darwin native TLS and crypto libraries.
-Using the native libraries there is no need to install OpenSSL. By
-default however, the driver will compile against OpenSSL if it
-detects it being available. If OpenSSL is not available, it will
-fall back on the native libraries.
-
-To compile against the Darwin native TLS and crypto libraries, even when
-OpenSSL is available, configure the driver like so:
-
-.. code-block:: none
-
-  $ ./configure --enable-ssl=darwin
-
-OpenSSL support in Mac OS X
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Beginning in OS X 10.11 El Capitan, OS X no longer includes the OpenSSL headers. To build the driver with OpenSSL on El Capitan and later:
-
-.. code-block:: none
-
-  $ brew install openssl
-  $ export LDFLAGS="-L/usr/local/opt/openssl/lib"
-  $ export CPPFLAGS="-I/usr/local/opt/openssl/include"
-
 .. _build-on-windows:
 
 Building on Windows with Visual Studio
@@ -260,8 +233,6 @@ Now let's do the same for the MongoDB C driver.
   mkdir cmake-build
   cd cmake-build
   cmake -G "Visual Studio 14 2015 Win64" \\
-    "-DENABLE_SSL=WINDOWS" \\
-    "-DENABLE_SASL=SSPI" \\
     "-DCMAKE_INSTALL_PREFIX=C:\\mongo-c-driver" \\
     "-DCMAKE_PREFIX_PATH=C:\\mongo-c-driver" \\
     "-DCMAKE_BUILD_TYPE=Release" \\
@@ -278,52 +249,6 @@ To build and install debug binaries, remove the
 
 To use the driver libraries in your program, see :doc:`visual-studio-guide`.
 
-Native TLS Support on Windows (Secure Channel)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The MongoDB C Driver supports the Windows native TLS and crypto libraries.
-Using the native libraries there is no need to install OpenSSL. By
-default however, the driver will compile against OpenSSL if it
-detects it being available. If OpenSSL is not available, it will
-fallback on the native libraries.
-
-To compile against the Windows native TLS and crypto libraries, even when
-OpenSSL is available, configure the driver like so:
-
-.. code-block:: none
-
-  cmake -G "Visual Studio 14 2015 Win64" \
-    "-DENABLE_SSL=WINDOWS" \
-    "-DCMAKE_INSTALL_PREFIX=C:\\mongo-c-driver" \
-    "-DCMAKE_PREFIX_PATH=C:\\mongo-c-driver" \
-    ..
-
-Native SASL Support on Windows (SSPI)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The MongoDB C Driver supports the Windows native Kerberos and Active Directory
-interface, SSPI. Using the native libraries there is no need to install any
-dependencies, such as cyrus-sasl.  By default however, the driver will compile
-against cyrus-sasl.
-
-To compile against the Windows native SSPI, configure the driver like so:
-
-.. code-block:: none
-
-  cmake -G "Visual Studio 14 2015 Win64" \
-    "-DENABLE_SASL=SSPI" \
-    "-DCMAKE_INSTALL_PREFIX=C:\\mongo-c-driver" \
-    "-DCMAKE_PREFIX_PATH=C:\\mongo-c-driver" \
-    ..
-
-OpenSSL support on Windows
-^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-For backwards compatibility CMake will default to OpenSSL support.
-If not found, it will fallback to native TLS support provided by the platform.
-
-OpenSSL 1.1.0 support requires CMake 3.7 or later on Windows.
-
 Building on Windows with MinGW-W64 and MSYS2
 --------------------------------------------
 

doc/mongoc_ssl_opt_t.rst

@@ -72,13 +72,11 @@ To overwrite this behaviour, it is possible to disable hostname validation, and/
 OpenSSL
 -------
 
-The MongoDB C Driver uses OpenSSL, if available, on Linux and Unix platforms, including macOS.
-
-Industry best practices and some regulations require the use of TLS 1.1 or newer, which requires at least OpenSSL 1.0.1. However, some operating systems such as older macOS ship outdated OpenSSL libraries. Check your OpenSSL version like so::
+The MongoDB C Driver uses OpenSSL, if available, on Linux and Unix platforms (besides macOS). Industry best practices and some regulations require the use of TLS 1.1 or newer, which requires at least OpenSSL 1.0.1. Check your OpenSSL version like so::
 
   $ openssl version
 
-On macOS we recommend using `Secure Transport`_ instead. On other Unixes, upgrade your OpenSSL to a recent version (at least 1.0.1), or install a recent version in a non-system path and build against it with::
+Ensure your system's OpenSSL is a recent version (at least 1.0.1), or install a recent version in a non-system path and build against it with::
 
   cmake -DOPENSSL_ROOT_DIR=/absolute/path/to/openssl
 
@@ -107,9 +105,7 @@ When ``crl_file`` is provided, the driver will import the revocation list to the
 Native TLS Support on Mac OS X / Darwin (Secure Transport)
 ----------------------------------------------------------
 
-The MongoDB C Driver supports the Darwin (OS X, macOS, iOS, etc.) native TLS library (Secure Transport), and its native crypto library (Common Crypto, or CC). To ensure you build with Secure Transport instead of any OpenSSL library installed on your system::
-
-  cmake -DENABLE_SSL=DARWIN
+The MongoDB C Driver supports the Darwin (OS X, macOS, iOS, etc.) native TLS library (Secure Transport), and its native crypto library (Common Crypto, or CC).
 
 When compiled against Secure Transport, the ``ca_dir`` option is not supported, and will issue an error if used.