Skip to content

PYTHON-5040: Allow cert overrides for all CSFLE KMS servers and add --tls-allow-invalid-certificates#791

Merged
blink1073 merged 9 commits into
mongodb-labs:masterfrom
blink1073:allow-cert-folder-override
Jun 11, 2026
Merged

PYTHON-5040: Allow cert overrides for all CSFLE KMS servers and add --tls-allow-invalid-certificates#791
blink1073 merged 9 commits into
mongodb-labs:masterfrom
blink1073:allow-cert-folder-override

Conversation

@blink1073

@blink1073 blink1073 commented Jun 5, 2026
edited
Loading

Copy link
Copy Markdown
Member

PYTHON-5040

Tested with mongodb/mongo-python-driver#2846

Summary

Allows drivers to supply custom TLS certificates for all CSFLE KMS mock servers, enabling drivers that maintain their own test certs to point the mock servers at them. Also adds a --tls-allow-invalid-certificates flag to drivers_orchestration.py for macOS, where Apple SecTrust performs OCSP checks on test certificates.

Changes in this PR

  • Extended cert file overrides to cover all KMS mock servers, following the same pattern used for existing overrides. Default paths are unchanged.
  • Added a --tls-allow-invalid-certificates flag to drivers_orchestration.py for macOS, where Apple SecTrust performs OCSP checks.

Test Plan

Callers can export the affected environment variables before running setup-secrets.sh to point the mock servers at custom certificates.

Checklist

Checklist for Author

  • Does the title of the PR reference a JIRA Ticket?
  • Do you fully understand the implementation? (Would you be comfortable explaining how this code works to someone else?)
  • Is all relevant documentation (README or docstring) updated?

Checklist for Reviewer

  • Does the title of the PR reference a JIRA Ticket?
  • Do you fully understand the implementation? (Would you be comfortable explaining how this code works to someone else?)
  • Is all relevant documentation (README or docstring) updated?

@blink1073
PYTHON-5040 Allow wrong-host.pem and expired.pem to be overridden in …
84e6862 
…csfle scripts

Adds CSFLE_TLS_EXPIRED_FILE and CSFLE_TLS_WRONG_HOST_FILE env vars
following the same override pattern as CSFLE_TLS_CA_FILE and friends.
@blink1073 blink1073 mentioned this pull request Jun 5, 2026
Draft
6 tasks
blink1073 added 5 commits June 4, 2026 19:48
@blink1073
Allow CSFLE_TLS_CERT_FILE/CSFLE_TLS_CA_FILE to override failpoint ser…
eab9fc4 
…ver certs
@blink1073
PYTHON-5040 Disable TLS revocation check on macOS via env var
d22307c 
Add TLS_DISABLE_CERTIFICATE_REVOCATION_CHECK env var support to
_get_cluster_options so callers can inject --tlsDisableCertificateRevocationCheck
into mongod args without modifying orchestration config files. This avoids
CSSMERR_TP_CERT_SUSPENDED on macOS where MongoDB Enterprise enforces OCSP
with kSecRevocationRequirePositiveResponse.
@blink1073
PYTHON-5040 Add --tls-disable-certificate-revocation-check flag to dr…
9ee819a 
…ivers-orchestration

Add a standard --tls-disable-certificate-revocation-check flag (also settable
via TLS_DISABLE_CERTIFICATE_REVOCATION_CHECK env var) that injects
tlsDisableCertificateRevocationCheck into sslParams. Handles both the
mongodb-runner path (via the existing sslParams loop) and the
mongo-orchestration path (via the HTTP config payload). Avoids
CSSMERR_TP_CERT_SUSPENDED on macOS where MongoDB Enterprise enforces OCSP
with kSecRevocationRequirePositiveResponse.
@blink1073
PYTHON-5040 Use setParameter for tlsDisableCertificateRevocationCheck
43d0869 
--tlsDisableCertificateRevocationCheck is not a valid direct mongod CLI flag;
it must be passed as --setParameter tlsDisableCertificateRevocationCheck=1.
Special-case it in the sslParams processing loop.
@blink1073
PYTHON-5040 Inject --tlsAllowInvalidCertificates to bypass OCSP on macOS
9e363cd 
tlsDisableCertificateRevocationCheck does not exist in MongoDB 8.x as either
a direct CLI flag or a setParameter. Use --tlsAllowInvalidCertificates instead,
which is a valid mongod CLI flag that skips certificate verification for
inter-node TLS connections, bypassing macOS OCSP enforcement
(CSSMERR_TP_CERT_SUSPENDED) without affecting Python client cert verification.

Rename the drivers-orchestration flag to --tls-allow-invalid-certificates to
reflect the underlying mongod parameter.
@blink1073 blink1073 changed the title PYTHON-5040: Allow wrong-host.pem and expired.pem to be overridden in csfle scripts PYTHON-5040: Allow cert file overrides for all CSFLE KMS servers Jun 11, 2026
@blink1073 blink1073 changed the title PYTHON-5040: Allow cert file overrides for all CSFLE KMS servers PYTHON-5040: Allow cert overrides for all CSFLE KMS servers and add --tls-allow-invalid-certificates Jun 11, 2026
@blink1073 blink1073 requested a review from eramongodb June 11, 2026 13:44
@blink1073 blink1073 marked this pull request as ready for review June 11, 2026 13:44
eramongodb
eramongodb requested changes Jun 11, 2026
View reviewed changes
Comment thread .evergreen/orchestration/drivers_orchestration.py Outdated
Comment thread .evergreen/orchestration/drivers_orchestration.py Outdated
blink1073 and others added 2 commits June 11, 2026 12:32
@blink1073 blink1073 requested a review from eramongodb June 11, 2026 17:56
eramongodb
eramongodb approved these changes Jun 11, 2026
View reviewed changes

@eramongodb eramongodb left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Another minor doc wording suggestion; otherwise, LGTM.

Comment thread .evergreen/orchestration/drivers_orchestration.py Outdated
@blink1073 @eramongodb
Update .evergreen/orchestration/drivers_orchestration.py
f873d0a 
Co-authored-by: Ezra Chung <88335979+eramongodb@users.noreply.github.com>
@blink1073 blink1073 merged commit 30b3f00 into mongodb-labs:master Jun 11, 2026
74 of 75 checks passed
@blink1073 blink1073 deleted the allow-cert-folder-override branch June 11, 2026 19:15
@blink1073

blink1073 commented Jun 11, 2026

Copy link
Copy Markdown
Member Author

Thanks @eramongodb!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eramongodb eramongodb eramongodb approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@blink1073 @eramongodb