fix: rebuild libmongoc with SecureTransport for MongoDB Atlas TLS (#485)

* fix: rebuild libmongoc with SecureTransport for MongoDB Atlas TLS

* Update project.pbxproj

* fix: add changelog entry and SecureTransport deprecation note

Author: datlechin

CHANGELOG.md

@@ -11,6 +11,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Confirmation dialogs for deep link queries, connection imports, and pre-connect scripts
 
+### Fixed
+
+- MongoDB Atlas connections failing with "TLS certificate verify failed" due to missing CA bundle
+
 ## [0.25.0] - 2026-03-27
 
 ### Added

Libs/checksums.sha256

@@ -1,7 +1,7 @@
-064606d4c05f60a73b7bed9574f703d56effde6006a0ada4a660e00e0949bbeb  Libs/libbson_arm64.a
-0f05902d61adec1359c94f12c9bc7a1ceac86f4b492e2d6c02411a5926a0d728  Libs/libbson_universal.a
-2b21d294ed199e46949dfb29d229399d5345c256c39ed07b94a974890fcf5110  Libs/libbson_x86_64.a
-0f05902d61adec1359c94f12c9bc7a1ceac86f4b492e2d6c02411a5926a0d728  Libs/libbson.a
+36e3a521b8da03bafd0f943c4f3b21c8c573bf9d640c6c9e764c0c3632672849  Libs/libbson_arm64.a
+b7716e3f295a54feee85c8771332505be2f9a4a430a088d476d60e358d737c9e  Libs/libbson_universal.a
+1e502e7fb4edc79639140e18d433a1ed1be2931162daecee71a74d09e9f4c550  Libs/libbson_x86_64.a
+b7716e3f295a54feee85c8771332505be2f9a4a430a088d476d60e358d737c9e  Libs/libbson.a
 8d7e31145470a339f4f57930831936db30412393a339598deece6f650214865a  Libs/libcassandra_arm64.a
 9bfd7d7cb4a7ee9823b4c5141e942a8534de63395983388722dc7c98e5d7731e  Libs/libcassandra_universal.a
 7f1d058c77b66273db2b3867103c19f62ed0518fb38611b178ce04029213d5d8  Libs/libcassandra_x86_64.a
@@ -26,10 +26,10 @@ b777f7a42766fb08c8e67b2310c67d2d463d77d3554c6092221c3352778622b2  Libs/libmariad
 5326ed729b287ae5dbbcf073aaa70dce29a73c7431e446d5958271af19dac8d8  Libs/libmariadb_universal.a
 4f7bbb3d73be178d4211c3bd5b2726b4a12db8b808eaa5212bf8e9eb3c570814  Libs/libmariadb_x86_64.a
 5326ed729b287ae5dbbcf073aaa70dce29a73c7431e446d5958271af19dac8d8  Libs/libmariadb.a
-8e587e9ed0b4291345f16a647bc7ed2dc30edbee87b9887eef94098d574aac13  Libs/libmongoc_arm64.a
-553b6636a37886dd44732dddcb97f6e8192dc1b3fbb914042c8da8a9685ce163  Libs/libmongoc_universal.a
-ce569e738c0f62f13906095bc33e10f20d62cd32535db89bc6af6231e86c1632  Libs/libmongoc_x86_64.a
-553b6636a37886dd44732dddcb97f6e8192dc1b3fbb914042c8da8a9685ce163  Libs/libmongoc.a
+9f4c87916ef65eae43b19d7568dc4fd4dffd884dc0cae15913b90965293339a7  Libs/libmongoc_arm64.a
+0d7ddc82dc7327a4b5187ffbc68a1419b5e5ff7b2be7b927e16793eef4d34303  Libs/libmongoc_universal.a
+635705c7dc8d689efdee5ec1bd8a8cbd0d09ae20db0869480271a293d492de50  Libs/libmongoc_x86_64.a
+0d7ddc82dc7327a4b5187ffbc68a1419b5e5ff7b2be7b927e16793eef4d34303  Libs/libmongoc.a
 5dbf2cb5ef37d8adbf607db82461b36a3fd7037c11d891383e6e918378a33d78  Libs/libpgcommon_arm64.a
 3ca491a723b9d9dfc13b815659b44a82253b540dd6b115f03ac68c5154ec26db  Libs/libpgcommon_universal.a
 4bfad7376aefa866d1ed0b7e54966ec6c9d70dcfed928e1311c20321bf08881c  Libs/libpgcommon_x86_64.a

Plugins/MongoDBDriverPlugin/CLibMongoc/include/mongoc/mongoc-config.h

@@ -78,7 +78,7 @@
  * MONGOC_ENABLE_SSL_SECURE_TRANSPORT is set from configure to determine if we are
  * compiled with Native SSL support on Darwin
  */
-#define MONGOC_ENABLE_SSL_SECURE_TRANSPORT 0
+#define MONGOC_ENABLE_SSL_SECURE_TRANSPORT 1
 
 #if MONGOC_ENABLE_SSL_SECURE_TRANSPORT != 1
 #  undef MONGOC_ENABLE_SSL_SECURE_TRANSPORT
@@ -89,7 +89,7 @@
  * MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO is set from configure to determine if we are
  * compiled with Native Crypto support on Darwin
  */
-#define MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO 0
+#define MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO 1
 
 #if MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO != 1
 #  undef MONGOC_ENABLE_CRYPTO_COMMON_CRYPTO
@@ -111,7 +111,7 @@
  * MONGOC_ENABLE_SSL_OPENSSL is set from configure to determine if we are
  * compiled with OpenSSL support.
  */
-#define MONGOC_ENABLE_SSL_OPENSSL 1
+#define MONGOC_ENABLE_SSL_OPENSSL 0
 
 #if MONGOC_ENABLE_SSL_OPENSSL != 1
 #  undef MONGOC_ENABLE_SSL_OPENSSL
@@ -122,7 +122,7 @@
  * MONGOC_ENABLE_CRYPTO_LIBCRYPTO is set from configure to determine if we are
  * compiled with OpenSSL support.
  */
-#define MONGOC_ENABLE_CRYPTO_LIBCRYPTO 1
+#define MONGOC_ENABLE_CRYPTO_LIBCRYPTO 0
 
 #if MONGOC_ENABLE_CRYPTO_LIBCRYPTO != 1
 #  undef MONGOC_ENABLE_CRYPTO_LIBCRYPTO
@@ -164,7 +164,7 @@
 /*
  * Use ASN1_STRING_get0_data () rather than the deprecated ASN1_STRING_data
  */
-#define MONGOC_HAVE_ASN1_STRING_GET0_DATA 1
+#define MONGOC_HAVE_ASN1_STRING_GET0_DATA 0
 
 #if MONGOC_HAVE_ASN1_STRING_GET0_DATA != 1
 #  undef MONGOC_HAVE_ASN1_STRING_GET0_DATA
@@ -338,7 +338,7 @@
  * Set if we have zstd compression support
  *
  */
-#define MONGOC_ENABLE_COMPRESSION_ZSTD 1
+#define MONGOC_ENABLE_COMPRESSION_ZSTD 0
 
 #if MONGOC_ENABLE_COMPRESSION_ZSTD != 1
 #  undef MONGOC_ENABLE_COMPRESSION_ZSTD

TablePro.xcodeproj/project.pbxproj

@@ -2477,8 +2477,10 @@
 					"$(PROJECT_DIR)/Libs/libmongoc.a",
 					"-force_load",
 					"$(PROJECT_DIR)/Libs/libbson.a",
-					"-lssl",
-					"-lcrypto",
+					"-framework",
+					Security,
+					"-framework",
+					CoreFoundation,
 					"-lresolv",
 					"-lz",
 				);
@@ -2517,8 +2519,10 @@
 					"$(PROJECT_DIR)/Libs/libmongoc.a",
 					"-force_load",
 					"$(PROJECT_DIR)/Libs/libbson.a",
-					"-lssl",
-					"-lcrypto",
+					"-framework",
+					Security,
+					"-framework",
+					CoreFoundation,
 					"-lresolv",
 					"-lz",
 				);

scripts/build-libmongoc.sh

@@ -19,8 +19,11 @@ run_quiet() {
 #   libbson_arm64.a, libbson_x86_64.a, libbson_universal.a
 #   libmongoc_arm64.a, libmongoc_x86_64.a, libmongoc_universal.a
 #
-# OpenSSL is built from source to match the app's deployment target,
-# preventing "Symbol not found" crashes from Homebrew-built libraries.
+# Uses macOS SecureTransport (ENABLE_SSL=DARWIN) for TLS so that
+# certificate verification uses the system Keychain automatically.
+# Note: SecureTransport is deprecated by Apple but still functional on
+# macOS 14+. It supports TLS 1.2 (no 1.3). MongoDB Atlas accepts TLS 1.2.
+# libmongoc does not support Network.framework as a TLS backend.
 #
 # All libraries are built with MACOSX_DEPLOYMENT_TARGET=14.0 to match
 # the app's minimum deployment target.
@@ -35,8 +38,6 @@ run_quiet() {
 
 DEPLOY_TARGET="14.0"
 MONGOC_VERSION="1.28.1"
-OPENSSL_VERSION="3.4.1"
-OPENSSL_SHA256="002a2d6b30b58bf4bea46c43bdd96365aaf8daa6c428782aa4feee06da197df3"
 MONGOC_SHA256="a93259840f461b28e198311e32144f5f8dc9fbd74348029f2793774d781bb7da"
 
 ARCH="${1:-both}"
@@ -46,7 +47,7 @@ LIBS_DIR="$PROJECT_DIR/Libs"
 BUILD_DIR="$(mktemp -d)"
 NCPU=$(sysctl -n hw.ncpu)
 
-echo "🔧 Building static libmongoc $MONGOC_VERSION + OpenSSL $OPENSSL_VERSION"
+echo "🔧 Building static libmongoc $MONGOC_VERSION (SecureTransport)"
 echo "   Deployment target: macOS $DEPLOY_TARGET"
 echo "   Architecture: $ARCH"
 echo "   Build dir: $BUILD_DIR"
@@ -61,12 +62,6 @@ trap cleanup EXIT
 download_sources() {
     echo "📥 Downloading source tarballs..."
 
-    if [ ! -f "$BUILD_DIR/openssl-$OPENSSL_VERSION.tar.gz" ]; then
-        curl -fSL "https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VERSION/openssl-$OPENSSL_VERSION.tar.gz" \
-            -o "$BUILD_DIR/openssl-$OPENSSL_VERSION.tar.gz"
-    fi
-    echo "$OPENSSL_SHA256  $BUILD_DIR/openssl-$OPENSSL_VERSION.tar.gz" | shasum -a 256 -c -
-
     if [ ! -f "$BUILD_DIR/mongo-c-driver-$MONGOC_VERSION.tar.gz" ]; then
         curl -fSL "https://github.com/mongodb/mongo-c-driver/releases/download/$MONGOC_VERSION/mongo-c-driver-$MONGOC_VERSION.tar.gz" \
             -o "$BUILD_DIR/mongo-c-driver-$MONGOC_VERSION.tar.gz"
@@ -76,46 +71,8 @@ download_sources() {
     echo "✅ Sources downloaded"
 }
 
-build_openssl() {
-    local arch=$1
-    local prefix="$BUILD_DIR/install-openssl-$arch"
-
-    echo ""
-    echo "🔨 Building OpenSSL $OPENSSL_VERSION for $arch..."
-
-    # Extract fresh copy for this arch
-    rm -rf "$BUILD_DIR/openssl-$OPENSSL_VERSION-$arch"
-    mkdir -p "$BUILD_DIR/openssl-$OPENSSL_VERSION-$arch"
-    tar xzf "$BUILD_DIR/openssl-$OPENSSL_VERSION.tar.gz" -C "$BUILD_DIR/openssl-$OPENSSL_VERSION-$arch" --strip-components=1
-
-    cd "$BUILD_DIR/openssl-$OPENSSL_VERSION-$arch"
-
-    local target
-    if [ "$arch" = "arm64" ]; then
-        target="darwin64-arm64-cc"
-    else
-        target="darwin64-x86_64-cc"
-    fi
-
-    MACOSX_DEPLOYMENT_TARGET=$DEPLOY_TARGET \
-    ./Configure \
-        "$target" \
-        no-shared \
-        no-tests \
-        no-apps \
-        no-docs \
-        --prefix="$prefix" \
-        -mmacosx-version-min=$DEPLOY_TARGET > /dev/null 2>&1
-
-    run_quiet make -j"$NCPU"
-    run_quiet make install_sw
-
-    echo "✅ OpenSSL $arch: $(ls -lh "$prefix/lib/libssl.a" | awk '{print $5}') (libssl) $(ls -lh "$prefix/lib/libcrypto.a" | awk '{print $5}') (libcrypto)"
-}
-
 build_mongoc() {
     local arch=$1
-    local openssl_prefix="$BUILD_DIR/install-openssl-$arch"
     local prefix="$BUILD_DIR/install-mongoc-$arch"
 
     echo ""
@@ -139,12 +96,6 @@ build_mongoc() {
     mkdir -p "$build_dir"
     cd "$build_dir"
 
-    # Resolve OpenSSL library path (may be lib/ or lib64/)
-    local openssl_lib_dir="$openssl_prefix/lib"
-    if [ -f "$openssl_prefix/lib64/libssl.a" ]; then
-        openssl_lib_dir="$openssl_prefix/lib64"
-    fi
-
     run_quiet env MACOSX_DEPLOYMENT_TARGET=$DEPLOY_TARGET \
     cmake .. \
         -DCMAKE_INSTALL_PREFIX="$prefix" \
@@ -159,13 +110,9 @@ build_mongoc() {
         -DENABLE_SRV=ON \
         -DENABLE_ZLIB=SYSTEM \
         -DENABLE_ZSTD=OFF \
-        -DENABLE_SSL=OPENSSL \
+        -DENABLE_SSL=DARWIN \
         -DENABLE_TESTS=OFF \
-        -DENABLE_EXAMPLES=OFF \
-        -DOPENSSL_ROOT_DIR="$openssl_prefix" \
-        -DOPENSSL_INCLUDE_DIR="$openssl_prefix/include" \
-        -DOPENSSL_SSL_LIBRARY="$openssl_lib_dir/libssl.a" \
-        -DOPENSSL_CRYPTO_LIBRARY="$openssl_lib_dir/libcrypto.a"
+        -DENABLE_EXAMPLES=OFF
 
     run_quiet cmake --build . --parallel "$NCPU"
     run_quiet cmake --install .
@@ -226,7 +173,6 @@ create_universal() {
 
 build_for_arch() {
     local arch=$1
-    build_openssl "$arch"
     build_mongoc "$arch"
     install_libs "$arch"
     # Install headers once (they're arch-independent)