Skip to content

Commit 637ce77

Browse files
committed
PYTHON-5040 Clarify comments about macOS SecTrust and cert env vars
1 parent 15d7c48 commit 637ce77

4 files changed

Lines changed: 5 additions & 3 deletions

File tree

.github/workflows/test-python.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,8 @@ jobs:
226226
with:
227227
ssl: true
228228
env:
229+
# drivers-evergreen-tools invokes run-mongodb.sh directly (not via
230+
# run_server.py), so cert paths must be provided explicitly here.
229231
TLS_PEM_KEY_FILE: ${{ github.workspace }}/test/certificates/server.pem
230232
TLS_CA_FILE: ${{ github.workspace }}/test/certificates/ca.pem
231233
TLS_CERT_KEY_FILE: ${{ github.workspace }}/test/certificates/client.pem

test/asynchronous/test_encryption.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3049,7 +3049,7 @@ async def http_post(self, path, data=None):
30493049
# X509_V_FLAG_X509_STRICT is not set. Python 3.14 enables strict mode
30503050
# in create_default_context, which requires SKI on the root CA cert.
30513051
# We intentionally omit SKI from the CA cert to prevent macOS SecTrust
3052-
# from triggering OCSP revocation checks during MongoDB 4.2 server startup.
3052+
# from triggering OCSP revocation checks during MongoDB server startup.
30533053
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
30543054
ctx.load_verify_locations(cafile=CA_PEM)
30553055
ctx.load_cert_chain(CLIENT_PEM)

test/certificates/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -61,6 +61,6 @@ macOS and Windows with Python 3.13+. The root causes were:
6161

6262
The CA cert intentionally omits SKI even though strict mode would normally require it on all
6363
certs: adding SKI to the CA triggers macOS SecTrust OCSP revocation checks on the MongoDB server
64-
startup path (MongoDB 4.2 Enterprise uses Apple SecTrust), causing ~67-second connection
64+
startup path (MongoDB Enterprise on macOS uses Apple SecTrust), causing ~67-second connection
6565
timeouts. KMS connections bypass this by using `ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)` instead
6666
of `ssl.create_default_context()`, which does not enable strict mode.

test/test_encryption.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3031,7 +3031,7 @@ def http_post(self, path, data=None):
30313031
# X509_V_FLAG_X509_STRICT is not set. Python 3.14 enables strict mode
30323032
# in create_default_context, which requires SKI on the root CA cert.
30333033
# We intentionally omit SKI from the CA cert to prevent macOS SecTrust
3034-
# from triggering OCSP revocation checks during MongoDB 4.2 server startup.
3034+
# from triggering OCSP revocation checks during MongoDB server startup.
30353035
ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
30363036
ctx.load_verify_locations(cafile=CA_PEM)
30373037
ctx.load_cert_chain(CLIENT_PEM)

0 commit comments

Comments
 (0)