CDRIVER-5693 drop support for LibreSSL (#1931)

Author: kevinAlbs

.evergreen/config_generator/components/earthly.py

@@ -36,7 +36,7 @@
 # Other options: SSPI (Windows only), AUTO (not reliably test-able without more environments)
 SASLOption = Literal["Cyrus", "off"]
 "Valid options for the SASL configuration parameter"
-TLSOption = Literal["LibreSSL", "OpenSSL", "off"]
+TLSOption = Literal["OpenSSL", "off"]
 "Options for the TLS backend configuration parameter (AKA 'ENABLE_SSL')"
 CxxVersion = Literal["r4.0.0", "none"]
 "C++ driver refs that are under CI test"
@@ -142,9 +142,6 @@ def task_filter(env: EarthlyVariant, conf: Configuration) -> bool:
     configuration values.
     """
     match env, conf:
-        # Ubuntu and CentOS do not ship with a LibreSSL package:
-        case e, (_sasl, "LibreSSL", _cxx) if re.match(r"^Ubuntu|^CentOS", e.display_name):
-            return False
         # u16/centos7 are not capable of building mongocxx
         case e, (_sasl, _tls, cxx) if re.match(r"^Ubuntu 16|^CentOS 7", e.display_name):
             # Only build if C++ driver is test is disabled

.evergreen/generated_configs/legacy-config.yml

@@ -1576,63 +1576,6 @@ tasks:
         env SASL=OFF SSL=OPENSSL .evergreen/scripts/compile.sh
   - func: run auth tests
   - func: upload-build
-- name: build-and-run-authentication-tests-libressl-2.5
-  commands:
-  - func: install ssl
-    vars:
-      SSL: libressl-2.5.2
-  - func: find-cmake-latest
-  - command: shell.exec
-    type: test
-    params:
-      working_dir: mongoc
-      add_expansions_to_env: true
-      shell: bash
-      script: |-
-        set -o errexit
-        env SASL=OFF SSL=LIBRESSL .evergreen/scripts/compile.sh
-  - func: run auth tests
-    vars:
-      require_tls12: true
-  - func: upload-build
-- name: build-and-run-authentication-tests-libressl-3.0-auto
-  commands:
-  - func: install ssl
-    vars:
-      SSL: libressl-3.0.2
-  - func: find-cmake-latest
-  - command: shell.exec
-    type: test
-    params:
-      working_dir: mongoc
-      add_expansions_to_env: true
-      shell: bash
-      script: |-
-        set -o errexit
-        env SASL=OFF SSL=AUTO .evergreen/scripts/compile.sh
-  - func: run auth tests
-    vars:
-      require_tls12: true
-  - func: upload-build
-- name: build-and-run-authentication-tests-libressl-3.0
-  commands:
-  - func: install ssl
-    vars:
-      SSL: libressl-3.0.2
-  - func: find-cmake-latest
-  - command: shell.exec
-    type: test
-    params:
-      working_dir: mongoc
-      add_expansions_to_env: true
-      shell: bash
-      script: |-
-        set -o errexit
-        env SASL=OFF SSL=LIBRESSL .evergreen/scripts/compile.sh
-  - func: run auth tests
-    vars:
-      require_tls12: true
-  - func: upload-build
 - name: test-latest-server-ipv6-client-ipv6-noauth-nosasl-nossl
   tags:
   - ipv4-ipv6
@@ -16404,16 +16347,13 @@ buildvariants:
   tags:
   - pr-merge-gate
 - name: openssl
-  display_name: OpenSSL / LibreSSL
+  display_name: OpenSSL
   run_on: archlinux-build
   tasks:
   - build-and-run-authentication-tests-openssl-1.0.1
   - build-and-run-authentication-tests-openssl-1.0.2
   - build-and-run-authentication-tests-openssl-1.1.0
   - build-and-run-authentication-tests-openssl-1.0.1-fips
-  - build-and-run-authentication-tests-libressl-2.5
-  - build-and-run-authentication-tests-libressl-3.0-auto
-  - build-and-run-authentication-tests-libressl-3.0
 - name: clang37
   display_name: clang 3.7 (Archlinux)
   expansions:

.evergreen/generated_configs/tasks.yml

@@ -1097,46 +1097,6 @@ tasks:
   - name: check-headers
     commands:
       - func: check-headers
-  - name: "check:sasl=Cyrus\_\u2022\_tls=LibreSSL\_\u2022\_test_mongocxx_ref=r4.0.0"
-    run_on:
-      - ubuntu2204-large
-      - debian10-large
-      - debian11-large
-      - amazon2
-    tags: [earthly, pr-merge-gate, alpine3.16-clang, alpine3.16-gcc, alpine3.17-clang, alpine3.17-gcc, alpine3.18-clang, alpine3.18-gcc, alpine3.19-clang, alpine3.19-gcc, archlinux-clang, archlinux-gcc]
-    commands:
-      - command: subprocess.exec
-        type: setup
-        params:
-          binary: bash
-          args:
-            - -c
-            - docker login -u "${artifactory_username}" --password-stdin artifactory.corp.mongodb.com <<<"${artifactory_password}"
-      - command: subprocess.exec
-        type: setup
-        params:
-          binary: ./tools/earthly.sh
-          working_dir: mongoc
-          args:
-            - +env-warmup
-            - --sasl=Cyrus
-            - --tls=LibreSSL
-            - --test_mongocxx_ref=r4.0.0
-            - --env=${MONGOC_EARTHLY_ENV}
-            - --c_compiler=${MONGOC_EARTHLY_C_COMPILER}
-      - command: subprocess.exec
-        type: test
-        params:
-          binary: ./tools/earthly.sh
-          working_dir: mongoc
-          args:
-            - +run
-            - --targets=test-example test-cxx-driver
-            - --sasl=Cyrus
-            - --tls=LibreSSL
-            - --test_mongocxx_ref=r4.0.0
-            - --env=${MONGOC_EARTHLY_ENV}
-            - --c_compiler=${MONGOC_EARTHLY_C_COMPILER}
   - name: "check:sasl=Cyrus\_\u2022\_tls=OpenSSL\_\u2022\_test_mongocxx_ref=none"
     run_on:
       - ubuntu2204-large
@@ -1297,46 +1257,6 @@ tasks:
             - --test_mongocxx_ref=r4.0.0
             - --env=${MONGOC_EARTHLY_ENV}
             - --c_compiler=${MONGOC_EARTHLY_C_COMPILER}
-  - name: "check:sasl=off\_\u2022\_tls=LibreSSL\_\u2022\_test_mongocxx_ref=r4.0.0"
-    run_on:
-      - ubuntu2204-large
-      - debian10-large
-      - debian11-large
-      - amazon2
-    tags: [earthly, pr-merge-gate, alpine3.16-clang, alpine3.16-gcc, alpine3.17-clang, alpine3.17-gcc, alpine3.18-clang, alpine3.18-gcc, alpine3.19-clang, alpine3.19-gcc, archlinux-clang, archlinux-gcc]
-    commands:
-      - command: subprocess.exec
-        type: setup
-        params:
-          binary: bash
-          args:
-            - -c
-            - docker login -u "${artifactory_username}" --password-stdin artifactory.corp.mongodb.com <<<"${artifactory_password}"
-      - command: subprocess.exec
-        type: setup
-        params:
-          binary: ./tools/earthly.sh
-          working_dir: mongoc
-          args:
-            - +env-warmup
-            - --sasl=off
-            - --tls=LibreSSL
-            - --test_mongocxx_ref=r4.0.0
-            - --env=${MONGOC_EARTHLY_ENV}
-            - --c_compiler=${MONGOC_EARTHLY_C_COMPILER}
-      - command: subprocess.exec
-        type: test
-        params:
-          binary: ./tools/earthly.sh
-          working_dir: mongoc
-          args:
-            - +run
-            - --targets=test-example test-cxx-driver
-            - --sasl=off
-            - --tls=LibreSSL
-            - --test_mongocxx_ref=r4.0.0
-            - --env=${MONGOC_EARTHLY_ENV}
-            - --c_compiler=${MONGOC_EARTHLY_C_COMPILER}
   - name: "check:sasl=off\_\u2022\_tls=OpenSSL\_\u2022\_test_mongocxx_ref=none"
     run_on:
       - ubuntu2204-large

.evergreen/legacy_config_generator/evergreen_config_lib/tasks.py

@@ -55,7 +55,7 @@ def __init__(
         CFLAGS: str | None = None,
         LDFLAGS: str | None = None,
         EXTRA_CONFIGURE_FLAGS: str | None = None,
-        SSL: Literal["WINDOWS", "DARWIN", "OPENSSL", "OPENSSL_STATIC", "LIBRESSL", "OFF", None] = None,
+        SSL: Literal["WINDOWS", "DARWIN", "OPENSSL", "OPENSSL_STATIC", "OFF", None] = None,
         ENABLE_SHM_COUNTERS: OptToggleStr = None,
         CHECK_LOG: OptToggleStr = None,
         TRACING: OptToggleStr = None,
@@ -773,8 +773,6 @@ def __init__(
 
         if enable_ssl is not False:
             script += " SSL=" + enable_ssl
-        elif "libressl" in version:
-            script += " SSL=LIBRESSL"
         else:
             script += " SSL=OPENSSL"
 
@@ -818,10 +816,7 @@ def name(self):
             "l",
             cflags="-Wno-redundant-decls",
         ),
-        SSLTask("openssl-1.1.0", "l"),
-        SSLTask("libressl-2.5", ".2", test_params=dict(require_tls12=True)),
-        SSLTask("libressl-3.0", ".2", enable_ssl="AUTO", test_params=dict(require_tls12=True)),
-        SSLTask("libressl-3.0", ".2", test_params=dict(require_tls12=True)),
+        SSLTask("openssl-1.1.0", "l")
     ],
 )
 

.evergreen/legacy_config_generator/evergreen_config_lib/variants.py

@@ -82,16 +82,13 @@ def days(n: int) -> int:
     ),
     Variant(
         "openssl",
-        "OpenSSL / LibreSSL",
+        "OpenSSL",
         "archlinux-build",
         [
             "build-and-run-authentication-tests-openssl-1.0.1",
             "build-and-run-authentication-tests-openssl-1.0.2",
             "build-and-run-authentication-tests-openssl-1.1.0",
-            "build-and-run-authentication-tests-openssl-1.0.1-fips",
-            "build-and-run-authentication-tests-libressl-2.5",
-            "build-and-run-authentication-tests-libressl-3.0-auto",
-            "build-and-run-authentication-tests-libressl-3.0",
+            "build-and-run-authentication-tests-openssl-1.0.1-fips"
         ],
         {},
     ),

.evergreen/scripts/build-and-test-with-toolchain.sh

@@ -35,8 +35,6 @@ toolchain_base_dir="$(readlink -f /opt/mongo-c-toolchain)"
 declare toolchain_lib_dir="${toolchain_base_dir}/lib"
 
 declare -a ssl_vers=(
-  "libressl-2.5"
-  "libressl-3.0"
   "openssl-1.0.1"
   "openssl-1.0.1-fips"
   "openssl-1.0.2"
@@ -60,11 +58,7 @@ for ssl_ver in "${ssl_vers[@]}"; do
   "${cmake_binary}" --version
 
   declare ssl
-  if [[ "${ssl_ver#*libressl}" != "${ssl_ver}" ]]; then
-    ssl="LIBRESSL"
-  else
-    ssl="OPENSSL"
-  fi
+  ssl="OPENSSL"
 
   declare output_file
   output_file="$(mktemp)"

.evergreen/scripts/install-ssl.sh

@@ -81,18 +81,6 @@ install_openssl_fips() {
   install_openssl
 }
 
-install_libressl() {
-  curl --retry 5 -o ssl.tar.gz "https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/${SSL}.tar.gz"
-  tar zxf ssl.tar.gz
-  pushd "${SSL}"
-  (
-    set -o xtrace
-    ./configure --prefix="${install_dir}"
-    make -s -j "${njobs}" install
-  ) >/dev/null
-  popd # "${SSL}"
-}
-
 case "${SSL}" in
 openssl-*-fips)
   export LC_ALL
@@ -106,7 +94,4 @@ openssl-*)
   install_openssl
   ;;
 
-libressl-*)
-  install_libressl
-  ;;
 esac

.evergreen/scripts/run-auth-tests.sh

@@ -68,7 +68,7 @@ fi
 
 # Archlinux (which we use for testing various self-installed OpenSSL versions)
 # stores their trust list under /etc/ca-certificates/extracted/.
-# We need to copy it to our custom installed OpenSSL/LibreSSL trust store.
+# We need to copy it to our custom installed OpenSSL trust store.
 declare pem_file="/etc/ca-certificates/extracted/tls-ca-bundle.pem"
 if [[ -f "${pem_file}" ]]; then
   [[ ! -d "${install_dir}" ]] || cp -v "${pem_file}" "${install_dir}/cert.pem"

CMakeLists.txt

@@ -112,15 +112,13 @@ mongo_bool_setting(USE_BUNDLED_UTF8PROC "Enable building with utf8proc. Needed f
                    ADVANCED)
 mongo_setting(
    ENABLE_SSL [[Enable TLS connection and SCRAM authentication.]]
-   OPTIONS WINDOWS DARWIN OPENSSL LIBRESSL OFF AUTO
+   OPTIONS WINDOWS DARWIN OPENSSL OFF AUTO
    DEFAULT VALUE AUTO
    VALIDATE CODE [[
       if(ENABLE_SSL STREQUAL "DARWIN" AND NOT APPLE)
          message(WARNING "ENABLE_SSL=DARWIN is only supported on Apple platforms")
       elseif(ENABLE_SSL STREQUAL "WINDOWS" AND NOT WIN32)
          message(WARNING "ENABLE_SSL=WINDOWS is only supported on Windows platforms")
-      elseif (ENABLE_SSL STREQUAL "LIBRESSL")
-         message(DEPRECATION "ENABLE_SSL=LIBRESSL is deprecated and may be removed in a future major release")
       endif()
    ]]
 )

Earthfile

@@ -161,15 +161,6 @@ multibuild:
         --sasl=Cyrus --sasl=off \
         --c_compiler=gcc --c_compiler=clang \
         --test_mongocxx_ref=master
-    # Note: At time of writing, Ubuntu does not support LibreSSL, so run those
-    #   tests on a separate BUILD line that does not include Ubuntu:
-    BUILD +run --targets "test-example" \
-        --env=alpine3.16 --env=alpine3.17 --env=alpine3.18 --env=alpine3.19 \
-        --env=archlinux \
-        --tls=LibreSSL \
-        --sasl=Cyrus --sasl=off \
-        --c_compiler=gcc --c_compiler=clang \
-        --test_mongocxx_ref=master
 
 # release-archive :
 #   Create a release archive of the source tree. (Refer to dev docs)

NEWS

@@ -8,6 +8,23 @@ Unreleased (2.0.0)
   was ignored.
 * `bson_oid_init_sequence` is removed. Use `bson_oid_init` instead.
 * `mongoc_server_description_host` changes the return type from `mongoc_host_list_t *` to `const mongoc_host_list_t *`.
+* URI authentication credentials validation (only applicable during creation of a new `mongoc_uri_t` object from a connection string):
+  * `authMechanism` is now validated and returns a client error for invalid or unsupported values.
+  * `authSource` is now validated and returns a client error for invalid or unsupported values for the specified `authMechanism`.
+  * `authSource` is now correctly defaulted to `"$external"` for MONGODB-AWS (instead of the database name or `"admin"`).
+  * The requirement that a password is provided is now enforced when the authentication mechanism is specified for:
+    * PLAIN
+    * SCRAM-SHA-1
+    * SCRAM-SHA-256
+* The requirement that neither or both a username and password is provided (optionally with a `AWS_SESSION_TOKEN`) is now enforced for MONGODB-AWS.
+* `authMechanismProperties` is now prohibited (instead of ignored) when the authentication mechanism is specified for:
+  * PLAIN
+  * SCRAM-SHA-1
+  * SCRAM-SHA-256
+  * MONGODB-X509
+* `authMechanismProperties` is now validated and returns a client error for invalid or unsupported fields when the authentication mechanism is specified for:
+  * GSSAPI: supported fields are SERVICE_NAME, CANONICALIZE_HOST_NAME, SERVICE_REALM, and SERVICE_HOST.
+  * MONGODB-AWS: supported fields are AWS_SESSION_TOKEN.
 
 ## Removals
 
@@ -23,6 +40,7 @@ Unreleased (2.0.0)
 * `mongoc_cursor_is_alive` is removed. Use the equivalent `mongoc_cursor_more` instead.
 * `mongoc_collection_delete` is removed. Use `mongoc_collection_delete_one` or `mongoc_collection_delete_many` instead.
 * `mongoc_delete_flags_t` and `mongoc_reply_flags_t` are removed.
+* Support for LibreSSL (the CMake option `ENABLE_SSL=LIBRESSL`) is removed. Associated API is removed (`MONGOC_ENABLE_SSL_LIBRESSL` and  `mongoc_stream_tls_libressl_new`).
 
 ### Forwarding headers (`#include <bson.h>` and `#include <mongoc.h>`)
 
@@ -41,25 +59,6 @@ Instead, the names must be prefixed with the parent directory: `mongoc/mongoc.h`
 ```
 
 
-Changes:
-
-  * URI authentication credentials validation (only applicable during creation of a new `mongoc_uri_t` object from a connection string):
-    * `authMechanism` is now validated and returns a client error for invalid or unsupported values.
-    * `authSource` is now validated and returns a client error for invalid or unsupported values for the specified `authMechanism`.
-    * `authSource` is now correctly defaulted to `"$external"` for MONGODB-AWS (instead of the database name or `"admin"`).
-    * The requirement that a password is provided is now enforced when the authentication mechanism is specified for:
-      * PLAIN
-      * SCRAM-SHA-1
-      * SCRAM-SHA-256
-    * The requirement that neither or both a username and password is provided (optionally with a `AWS_SESSION_TOKEN`) is now enforced for MONGODB-AWS.
-    * `authMechanismProperties` is now prohibited (instead of ignored) when the authentication mechanism is specified for:
-      * PLAIN
-      * SCRAM-SHA-1
-      * SCRAM-SHA-256
-      * MONGODB-X509
-    * `authMechanismProperties` is now validated and returns a client error for invalid or unsupported fields when the authentication mechanism is specified for:
-      * GSSAPI: supported fields are SERVICE_NAME, CANONICALIZE_HOST_NAME, SERVICE_REALM, and SERVICE_HOST.
-      * MONGODB-AWS: supported fields are AWS_SESSION_TOKEN.
 
 libmongoc 1.30.2
 ================