CDRIVER-6045 Support TLS v1.3 in Secure Channel #2118

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merged

Julia-Garland merged 31 commits into mongodb:master from Julia-Garland:cdriver-6045

Oct 6, 2025

Contributor

Julia-Garland commented Sep 17, 2025 •

edited

Loading

Summary

Enable TLS 1.3 in the C driver when using Windows Secure Channel as the TLS implementation (default on Windows).

Changes

Switch from SCHANNEL_CRED to SCH_CREDENTIALS (supported on Windows 10 1809 / Windows Server 1809 and newer).
Enable TLS 1.3 for Windows 11 / Windows Server 2022 and newer (when using SCH_CREDENTIALS)

Used libcurl as a reference.

(In a second PR)
Secure Channel with TLS 1.3 may use the renegotiate status for internal use; instructions on how to handle this are given in Windows documentation.


          Switch to SCH_CREDENTIALS

c5cae48

Julia-Garland self-assigned this

Julia-Garland added 26 commits

September 17, 2025 18:56


          Move winternl.h above schannel.h

df6308c


          Fix test

0767a31


          Use subauth instead of winternl

1a4c08b


          Enable TLS 1.3 for Windows Server 2022 and newer

68b306a


          Remove erroneous &

9c62ea9


          Revert "Remove erroneous &"

9f05bd3

This reverts commit 9c62ea9.


          Modify tls_params allocation

05823c9


          Only use SCH_CREDENTIALS post-Windows Server 2019

d69e630


          Merge branch 'master' into cdriver-6045

7e536be


          Simplify preprocessor statement

cb71275


          More specific version check for 1.3 + introduce MONGOC_HAVE_SCH_CREDE…

08e8cb5

…NTIALS


          Fix scope of HAVE_SCH_CREDENTIALS check

c8e3d64


          Generic windows version function

f5cbb99


          Newline at end of file

757880b


          Fix ver_set_condition call

705c1f2


          Debug

dab537d


          Malloc cred->cred

1dc7f70


          Remove & in acquire cred handle

e667f6d


          Refactor setup logic

c2ee9d5


          Add accidentally deleted lines

95b5584


          Fix bug with paCred

34e0b61


          Cleanup

a4b302d


          Remove cmake msgs

337329c


          Fix pointer bug with cert

475f08a


          More accurate version checking using Rtl variant

1e90324


          Format

807c5e4

Julia-Garland marked this pull request as ready for review

September 26, 2025 14:42

Julia-Garland requested a review from a team as a code owner

September 26, 2025 14:42

Julia-Garland requested review from mdb-ad and kevinAlbs

September 26, 2025 14:42

kevinAlbs reviewed

View reviewed changes

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-config.h.in Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-version-functions.h Outdated Show resolved Hide resolved

src/libmongoc/CMakeLists.txt Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-version-functions.c Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c Outdated Show resolved Hide resolved

Julia-Garland added 2 commits

September 29, 2025 18:21


          KA suggestions

62f8415


          Format

ddf9c75

Julia-Garland requested a review from kevinAlbs

September 29, 2025 18:49

kevinAlbs approved these changes

View reviewed changes

Collaborator

kevinAlbs left a comment

LGTM with minor comments. Suggested adding a test in Evergreen to add some CI coverage for TLS v1.3 to Atlas, but that may be better done later since it needs renegotiation implemented to pass.

src/libmongoc/src/mongoc/mongoc-config.h.in Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel-private.h Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-stream-tls-secure-channel.c

    
                 DWORD enabled_protocols = SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT;

                 /* TLS 1.3 is supported on Windows Server 2022 and newer.

Collaborator

kevinAlbs Sep 30, 2025

Evergreen tasks do not appear to test TLS 1.3 against cloud-dev (even when enabled). I expect that is why when TLS 1.3 was enabled without renegotiation, Evergreen still passed.

The authentication-tests-winssl task that tests connecting to cloud-dev here

Suggest (either here or in later PR) adding an Evergreen task to test cloud-dev with TLS 1.3. I expect that would mean:

Copy the VS 2017 variant to test VS 2022. Limit it to testing ".authentication-tests .winssl".
Regenerate the Evergreen config (see docs)

src/libmongoc/CMakeLists.txt Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-util.c Outdated Show resolved Hide resolved

src/libmongoc/src/mongoc/mongoc-util-private.h Outdated Show resolved Hide resolved

Julia-Garland added 2 commits

October 1, 2025 15:00


          Improvements

49e4095


          Missing WIN32 check

c88434e

mdb-ad approved these changes

View reviewed changes

Julia-Garland merged commit 5cb30b9 into mongodb:master

44 of 46 checks passed

Julia-Garland mentioned this pull request

CDRIVER-6045 Support TLS v1.3 in Secure Channel #2141

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet