PHPC-888: Support additional TLS libraries for bundled libmongoc

[jmikola]

https://jira.mongodb.org/browse/PHPC-888
https://jira.mongodb.org/browse/PHPC-1003

[jmikola]

Note: when testing this on my Ubuntu system, I actually had to change "libtls" to "libressl-tls" (since I'm using a custom PPA). I also noticed that pkg-config --libs libressl-tls returns only -lressl-tls, unlike pkg-config --libs openssl, which returns -lssl -lcrypto. I'm not sure if that's specific to the PPA package I'm using, so I'll have to test with LibreSSL proper.

FWIW, libmongoc also only specifics "libtls", so I'm curious if their LibreSSL builds are linking -lcrypto or not.

[derickr]

It's possible that your PPA doesn't need the -lcrypto, and just that -lressl-tls contains all of what -lssl and -lcrypt export. I would actually go as far to make sure that we can support your custom PPA, and the normal libressl.

[derickr]

Heh - this must never have worked then.

[jmikola]

No sir, it did not :)

[derickr]

There are some whitespace issues in this file.

[jmikola]

It looks like the TARGET_OS assignments all used tab indents. Fixing now.

[derickr]

I think all the help options, should be prefixed with " MongoDB: ", just as I currently do at https://github.com/xdebug/xdebug/blob/master/config.m4#L7

[derickr]

Why are there two sets of [ ] here?

[jmikola]

Quoting https://lists.gnu.org/archive/html/bug-gnulib/2011-09/msg00172.html:

# is a comment character in m4, which reads until end-of-line to end the comment. Which means all the [] after the comment character are treated as part of the comment, instead of as m4 [] quoting.

https://lists.gnu.org/archive/html/bug-gnulib/2011-09/msg00193.html discusses modifying AC_CHECK_DECLS to double-quote.

Note that we also used double-quoting in the original check in config.m4.

[derickr]

That seems odd. The whole idea behind pkg_config is that its --includes (or whatever the flag is), shows all the header locations. I don't think we should go check all the headers manually where pkg-config works.

[derickr]

It's possible that your PPA doesn't need the -lcrypto, and just that -lressl-tls contains all of what -lssl and -lcrypt export. I would actually go as far to make sure that we can support your custom PPA, and the normal libressl.

[derickr]

Is the idea to support these later?

[jmikola]

I don't believe so, since Windows builds use config.w32 and will never use Autotools. We do still need to make the substitutions, though.

[derickr]

You've already done the ASN1_STRING_get0_data check earlier. Do you need it twice?

[jmikola]

I believe I forgot to remove this if/else block from the file. The problem with this is that CFLAGS may change depending on whether we found OpenSSL with pkg-config (sets PHP_MONGODB_SSL_CFLAGS) or manual header searching and PHP_CHECK_LIBRARY (sets OPENSSL_INCDIR).

Therefore, this if/else block should be removed and we should only keep the one below here:

if test "x$have_ASN1_STRING_get0_data" = "xyes"; then
   AC_SUBST(MONGOC_HAVE_ASN1_STRING_GET0_DATA, 1)
else
   AC_SUBST(MONGOC_HAVE_ASN1_STRING_GET0_DATA, 0)
fi

[jmikola]

@sibidharan: Since you did such a great job solving the BoringSSL issues, I wonder if you'd be willing to help us test this PR on macOS. I plan to add macOS to our Travis CI matrix, but would still appreciate a fresh set of eyes on it.

This PR introduces a new configure option, --with-mongodb-ssl=[auto/no/openssl/libressl/darwin]. Specifying --with-mongodb-ssl=darwin should allow you to build the driver with its bundled version of libbson and libmongoc and instruct libmongoc to use Secure Transport instead of OpenSSL. This will ultimately remove the need in your BoringSSL workaround to first install libbson and libmongoc as system libraries. Once compiled, you should also be able to verify that the driver is using its bundled libmongoc with Secure Transport via phpinfo() output.

[sibidharan]

That is indeed such a great news @jmikola

I will test it out on all our peer systems running on couple different versions of MacOS.

[jmikola]

@derickr: The last commit adds three macOS environments to the build matrix:

• xcode8.3 with php56 and --with-mongodb-ssl=auto (OpenSSL)
• xcode9.2 with php72 and --with-mongodb-ssl=auto (OpenSSL)
• xcode9.2 with php72 and --with-mongodb-ssl=darwin (Secure Transport)

Note that since we only have a standalone mongod running on Travis, this is only testing that the driver builds successfully and can execute non-SSL code paths. We'll definitely want to do a manually test on a Mac later on.

I've no idea when these will actually complete, as Travis CI status is reporting degraded performance for macOS builds and their backlog appears to consistently be >1000 jobs.

[derickr]

Do we still need to do this?

[jmikola]

While I very much remember the problem with run-tests.php exiting with zero after failures, I don't quite remember what versions of PHP demonstrated the issue. There is evidence of exit(1) going back to PHP-5.3.

I did come across php/php-src@16efc77, which changed the logic for exit(1) in 5.5. Do you recall if this was only an issue up to 5.4 (inclusive)?

If you're able to narrow it down, we can certainly get rid of this.

[jmikola]

I'll narrow this down in a bit and if 5.5+ reports exit codes, we can remove this.

[jmikola]

Confirmed that PHP 5.4 was the last version with this problem. I'll remove this.

[derickr]

Why can this not be LibreSSL?

[jmikola]

See: https://github.com/mongodb/mongo-c-driver/blob/1.9.2/src/mongoc/mongoc-ssl.c#L78

[derickr]

This file isn't one you wrote yourself, right?

[jmikola]

Correct. There may be whitespace issues (mixed tabs and spaces) that I can clean up, though. We imported from libmongoc, but they also pulled it from elsewhere.

[derickr]

Was this always broken like this before? Or do both = and == work (on bash)?

[jmikola]

Bash supports both == and =, but = is POSIX compliant. You'll note from the new shell scripts that I'm aiming to keep things portable with #!/bin/sh and POSIX-friendly syntax.

[derickr]

I can't see where mongo orchestration is installed through in the new code.

[jmikola]

See ef72444d5239f43792a942cd9938b89bb4fbde1c. These were merely artifacts from when Hannes was using Mongo Orchestration locally to spin up test environments (PHPC-128). I found nothing in our current .travis.yml files that actually launched Mongo Orchestration, so this all appears to be dead code.

[jmikola]

@derickr: I borrowed a Macbook (macOS 10.12.5) and verified that I'm able to successfully compile the driver for Secure Transport using --with-mongodb-ssl=darwin. ./configure reports that MONGODB_SHARED_LIBADD includes -framework Security -framework CoreFoundation and phpinfo() reports "Secure Transport" and "Common Crypto". Additionally, I successfully connected to an Atlas cluster with SSL and executed a buildInfo command.

@sibidharan: If you're still able to test, that'd be appreciated; however, you're not holding us up :)

@alcaeus: I expect we'll cut a 1.4.0-RC1 release next week. Would it be possible to update the ext-mongodb formulae to start using --with-mongodb-ssl=darwin soon after?

[derickr]

I've made a PR against yours with a few tweaks:
jmikola#2

Besides that, it looks good and things worked as expected on the platforms I've tried it on (various Debians)

[derickr]

Something is going wrong here, as I can select "darwin" as option on my Linux system and configure doesn't complain. It will of course fail when trying to compile.