Import tools: 4c5314b404c2d7aac7ceb50133faa3ac4fc3d2ea from branch v3.4

ref: 4f093ae71c..4c5314b404
for: 3.4.15

TOOLS-1665    Mongotools may block forever on dead connections
TOOLS-17      mongodump --oplog should record the end oplog entry before backing up the oplog
TOOLS-1704    Update mongo-tools projects to use macos-1012 distro instead of osx-1010
TOOLS-1706    mongoreplay cannot safely terminate on one core
TOOLS-1779    stop building tools on solaris on all branches
TOOLS-1780    Build tools with Go 1.8.x
TOOLS-1941    Tools qa-tests often timeout, particularly on server latests
TOOLS-1948    Use Go-native TLS dialer on platforms with openssl 0.9.x
TOOLS-1968    Backport - Need to update spacemonkeygo/openssl fork to support newer OpenSSL libraries
TOOLS-1978    tools fail eslint testing
TOOLS-2003    Drop SUSE11 from Evergreen builds
TOOLS-2008    Tests fail on v3.4-master branch

76 files changed, 2089 insertions, 408 deletions

diff --git a/src/mongo/gotools/Godeps b/src/mongo/gotools/Godeps
index 8a0702bafda..df3fb3305dc 100644
--- a/src/mongo/gotools/Godeps
+++ b/src/mongo/gotools/Godeps
@@ -6,7 +6,7 @@ github.com/smartystreets/assertions     287b4346dc4e71a038c346375a9d572453bc469b
 github.com/smartystreets/goconvey       bf58a9a1291224109919756b4dcc469c670cc7e4
 github.com/jessevdk/go-flags            97448c91aac742cbca3d020b3e769013a420a06f
 github.com/3rf/mongo-lint               3550fdcf1f43b89aaeabaa4559eaae6dc4407e42
-github.com/spacemonkeygo/openssl        2869e8ca1a6eb35fb727f41611fd52b55cd0f49c    github.com/10gen/openssl
+github.com/10gen/openssl                b7dbd48f71d65f519f8fb7d71f5f24e6eb766286
 github.com/spacemonkeygo/spacelog       f936fb050dc6b5fe4a96b485a6f069e8bdc59aeb
 github.com/howeyc/gopass                44476384cd4721b68705e72f19e95d1a3a504370
 github.com/nsf/termbox-go               0723e7c3d0a317dea811f0fbe4d6edd81908c971
diff --git a/src/mongo/gotools/THIRD-PARTY-NOTICES b/src/mongo/gotools/THIRD-PARTY-NOTICES
index 76e6e2520e0..c17f7956a8b 100644
--- a/src/mongo/gotools/THIRD-PARTY-NOTICES
+++ b/src/mongo/gotools/THIRD-PARTY-NOTICES
@@ -741,3 +741,520 @@ third-party archives.
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
+
+
+License notice for golang.org/x/crypto
+------------------------------------------------------------
+
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+License notice for gopkg.in/mgo.v2
+------------------------------------------------------------
+
+mgo - MongoDB driver for Go
+
+Copyright (c) 2010-2013 - Gustavo Niemeyer <gustavo@niemeyer.net>
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met: 
+
+1. Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer. 
+2. Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution. 
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+License notice for gopkg.in/tomb.v2
+------------------------------------------------------------
+
+tomb - support for clean goroutine termination in Go.
+
+Copyright (c) 2010-2011 - Gustavo Niemeyer <gustavo@niemeyer.net>
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+      this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright notice,
+      this list of conditions and the following disclaimer in the documentation
+      and/or other materials provided with the distribution.
+    * Neither the name of the copyright holder nor the names of its
+      contributors may be used to endorse or promote products derived from
+      this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License notice for github.com/mattn/go-runewidth
+------------------------------------------------------------
+
+Copyright © 2013-2017 Yasuhiro Matsumoto, http://mattn.kaoriya.net
+<mattn.jp@gmail.com>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+License notice for JSON and CSV code from github.com/golang/go
+------------------------------------------------------------
+
+Copyright (c) 2009 The Go Authors. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+License notice for github.com/hashicorp/go-rootcerts
+----------------------------------------------------
+
+Mozilla Public License, version 2.0
+
+1. Definitions
+
+1.1. "Contributor"
+
+     means each individual or legal entity that creates, contributes to the
+     creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+
+     means the combination of the Contributions of others (if any) used by a
+     Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+
+     means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+
+     means Source Code Form to which the initial Contributor has attached the
+     notice in Exhibit A, the Executable Form of such Source Code Form, and
+     Modifications of such Source Code Form, in each case including portions
+     thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+     means
+
+     a. that the initial Contributor has attached the notice described in
+        Exhibit B to the Covered Software; or
+
+     b. that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the terms of
+        a Secondary License.
+
+1.6. "Executable Form"
+
+     means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+
+     means a work that combines Covered Software with other material, in a
+     separate file or files, that is not Covered Software.
+
+1.8. "License"
+
+     means this document.
+
+1.9. "Licensable"
+
+     means having the right to grant, to the maximum extent possible, whether
+     at the time of the initial grant or subsequently, any and all of the
+     rights conveyed by this License.
+
+1.10. "Modifications"
+
+     means any of the following:
+
+     a. any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered Software; or
+
+     b. any new file in Source Code Form that contains any Covered Software.
+
+1.11. "Patent Claims" of a Contributor
+
+      means any patent claim(s), including without limitation, method,
+      process, and apparatus claims, in any patent Licensable by such
+      Contributor that would be infringed, but for the grant of the License,
+      by the making, using, selling, offering for sale, having made, import,
+      or transfer of either its Contributions or its Contributor Version.
+
+1.12. "Secondary License"
+
+      means either the GNU General Public License, Version 2.0, the GNU Lesser
+      General Public License, Version 2.1, the GNU Affero General Public
+      License, Version 3.0, or any later versions of those licenses.
+
+1.13. "Source Code Form"
+
+      means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+
+      means an individual or a legal entity exercising rights under this
+      License. For legal entities, "You" includes any entity that controls, is
+      controlled by, or is under common control with You. For purposes of this
+      definition, "control" means (a) the power, direct or indirect, to cause
+      the direction or management of such entity, whether by contract or
+      otherwise, or (b) ownership of more than fifty percent (50%) of the
+      outstanding shares or beneficial ownership of such entity.
+
+
+2. License Grants and Conditions
+
+2.1. Grants
+
+     Each Contributor hereby grants You a world-wide, royalty-free,
+     non-exclusive license:
+
+     a. under intellectual property rights (other than patent or trademark)
+        Licensable by such Contributor to use, reproduce, make available,
+        modify, display, perform, distribute, and otherwise exploit its
+        Contributions, either on an unmodified basis, with Modifications, or
+        as part of a Larger Work; and
+
+     b. under Patent Claims of such Contributor to make, use, sell, offer for
+        sale, have made, import, and otherwise transfer either its
+        Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+     The licenses granted in Section 2.1 with respect to any Contribution
+     become effective for each Contribution on the date the Contributor first
+     distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+     The licenses granted in this Section 2 are the only rights granted under
+     this License. No additional rights or licenses will be implied from the
+     distribution or licensing of Covered Software under this License.
+     Notwithstanding Section 2.1(b) above, no patent license is granted by a
+     Contributor:
+
+     a. for any code that a Contributor has removed from Covered Software; or
+
+     b. for infringements caused by: (i) Your and any other third party's
+        modifications of Covered Software, or (ii) the combination of its
+        Contributions with other software (except as part of its Contributor
+        Version); or
+
+     c. under Patent Claims infringed by Covered Software in the absence of
+        its Contributions.
+
+     This License does not grant any rights in the trademarks, service marks,
+     or logos of any Contributor (except as may be necessary to comply with
+     the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+     No Contributor makes additional grants as a result of Your choice to
+     distribute the Covered Software under a subsequent version of this
+     License (see Section 10.2) or under the terms of a Secondary License (if
+     permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+     Each Contributor represents that the Contributor believes its
+     Contributions are its original creation(s) or it has sufficient rights to
+     grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+     This License is not intended to limit any rights You have under
+     applicable copyright doctrines of fair use, fair dealing, or other
+     equivalents.
+
+2.7. Conditions
+
+     Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in
+     Section 2.1.
+
+
+3. Responsibilities
+
+3.1. Distribution of Source Form
+
+     All distribution of Covered Software in Source Code Form, including any
+     Modifications that You create or to which You contribute, must be under
+     the terms of this License. You must inform recipients that the Source
+     Code Form of the Covered Software is governed by the terms of this
+     License, and how they can obtain a copy of this License. You may not
+     attempt to alter or restrict the recipients' rights in the Source Code
+     Form.
+
+3.2. Distribution of Executable Form
+
+     If You distribute Covered Software in Executable Form then:
+
+     a. such Covered Software must also be made available in Source Code Form,
+        as described in Section 3.1, and You must inform recipients of the
+        Executable Form how they can obtain a copy of such Source Code Form by
+        reasonable means in a timely manner, at a charge no more than the cost
+        of distribution to the recipient; and
+
+     b. You may distribute such Executable Form under the terms of this
+        License, or sublicense it under different terms, provided that the
+        license for the Executable Form does not attempt to limit or alter the
+        recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+     You may create and distribute a Larger Work under terms of Your choice,
+     provided that You also comply with the requirements of this License for
+     the Covered Software. If the Larger Work is a combination of Covered
+     Software with a work governed by one or more Secondary Licenses, and the
+     Covered Software is not Incompatible With Secondary Licenses, this
+     License permits You to additionally distribute such Covered Software
+     under the terms of such Secondary License(s), so that the recipient of
+     the Larger Work may, at their option, further distribute the Covered
+     Software under the terms of either this License or such Secondary
+     License(s).
+
+3.4. Notices
+
+     You may not remove or alter the substance of any license notices
+     (including copyright notices, patent notices, disclaimers of warranty, or
+     limitations of liability) contained within the Source Code Form of the
+     Covered Software, except that You may alter any license notices to the
+     extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+     You may choose to offer, and to charge a fee for, warranty, support,
+     indemnity or liability obligations to one or more recipients of Covered
+     Software. However, You may do so only on Your own behalf, and not on
+     behalf of any Contributor. You must make it absolutely clear that any
+     such warranty, support, indemnity, or liability obligation is offered by
+     You alone, and You hereby agree to indemnify every Contributor for any
+     liability incurred by such Contributor as a result of warranty, support,
+     indemnity or liability terms You offer. You may include additional
+     disclaimers of warranty and limitations of liability specific to any
+     jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+
+   If it is impossible for You to comply with any of the terms of this License
+   with respect to some or all of the Covered Software due to statute,
+   judicial order, or regulation then You must: (a) comply with the terms of
+   this License to the maximum extent possible; and (b) describe the
+   limitations and the code they affect. Such description must be placed in a
+   text file included with all distributions of the Covered Software under
+   this License. Except to the extent prohibited by statute or regulation,
+   such description must be sufficiently detailed for a recipient of ordinary
+   skill to be able to understand it.
+
+5. Termination
+
+5.1. The rights granted under this License will terminate automatically if You
+     fail to comply with any of its terms. However, if You become compliant,
+     then the rights granted under this License from a particular Contributor
+     are reinstated (a) provisionally, unless and until such Contributor
+     explicitly and finally terminates Your grants, and (b) on an ongoing
+     basis, if such Contributor fails to notify You of the non-compliance by
+     some reasonable means prior to 60 days after You have come back into
+     compliance. Moreover, Your grants from a particular Contributor are
+     reinstated on an ongoing basis if such Contributor notifies You of the
+     non-compliance by some reasonable means, this is the first time You have
+     received notice of non-compliance with this License from such
+     Contributor, and You become compliant prior to 30 days after Your receipt
+     of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+     infringement claim (excluding declaratory judgment actions,
+     counter-claims, and cross-claims) alleging that a Contributor Version
+     directly or indirectly infringes any patent, then the rights granted to
+     You by any and all Contributors for the Covered Software under Section
+     2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user
+     license agreements (excluding distributors and resellers) which have been
+     validly granted by You or Your distributors under this License prior to
+     termination shall survive termination.
+
+6. Disclaimer of Warranty
+
+   Covered Software is provided under this License on an "as is" basis,
+   without warranty of any kind, either expressed, implied, or statutory,
+   including, without limitation, warranties that the Covered Software is free
+   of defects, merchantable, fit for a particular purpose or non-infringing.
+   The entire risk as to the quality and performance of the Covered Software
+   is with You. Should any Covered Software prove defective in any respect,
+   You (not any Contributor) assume the cost of any necessary servicing,
+   repair, or correction. This disclaimer of warranty constitutes an essential
+   part of this License. No use of  any Covered Software is authorized under
+   this License except under this disclaimer.
+
+7. Limitation of Liability
+
+   Under no circumstances and under no legal theory, whether tort (including
+   negligence), contract, or otherwise, shall any Contributor, or anyone who
+   distributes Covered Software as permitted above, be liable to You for any
+   direct, indirect, special, incidental, or consequential damages of any
+   character including, without limitation, damages for lost profits, loss of
+   goodwill, work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses, even if such party shall have been
+   informed of the possibility of such damages. This limitation of liability
+   shall not apply to liability for death or personal injury resulting from
+   such party's negligence to the extent applicable law prohibits such
+   limitation. Some jurisdictions do not allow the exclusion or limitation of
+   incidental or consequential damages, so this exclusion and limitation may
+   not apply to You.
+
+8. Litigation
+
+   Any litigation relating to this License may be brought only in the courts
+   of a jurisdiction where the defendant maintains its principal place of
+   business and such litigation shall be governed by laws of that
+   jurisdiction, without reference to its conflict-of-law provisions. Nothing
+   in this Section shall prevent a party's ability to bring cross-claims or
+   counter-claims.
+
+9. Miscellaneous
+
+   This License represents the complete agreement concerning the subject
+   matter hereof. If any provision of this License is held to be
+   unenforceable, such provision shall be reformed only to the extent
+   necessary to make it enforceable. Any law or regulation which provides that
+   the language of a contract shall be construed against the drafter shall not
+   be used to construe this License against a Contributor.
+
+
+10. Versions of the License
+
+10.1. New Versions
+
+      Mozilla Foundation is the license steward. Except as provided in Section
+      10.3, no one other than the license steward has the right to modify or
+      publish new versions of this License. Each version will be given a
+      distinguishing version number.
+
+10.2. Effect of New Versions
+
+      You may distribute the Covered Software under the terms of the version
+      of the License under which You originally received the Covered Software,
+      or under the terms of any subsequent version published by the license
+      steward.
+
+10.3. Modified Versions
+
+      If you create software not governed by this License, and you want to
+      create a new license for such software, you may create and use a
+      modified version of this License if you rename the license and remove
+      any references to the name of the license steward (except to note that
+      such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+      Licenses If You choose to distribute Source Code Form that is
+      Incompatible With Secondary Licenses under the terms of this version of
+      the License, the notice described in Exhibit B of this License must be
+      attached.
+
+Exhibit A - Source Code Form License Notice
+
+      This Source Code Form is subject to the
+      terms of the Mozilla Public License, v.
+      2.0. If a copy of the MPL was not
+      distributed with this file, You can
+      obtain one at
+      http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular file,
+then You may include the notice in a location (such as a LICENSE file in a
+relevant directory) where a recipient would be likely to look for such a
+notice.
+
+You may add additional accurate notices of copyright ownership.
+
+Exhibit B - "Incompatible With Secondary Licenses" Notice
+
+      This Source Code Form is "Incompatible
+      With Secondary Licenses", as defined by
+      the Mozilla Public License, v. 2.0.
diff --git a/src/mongo/gotools/common.yml b/src/mongo/gotools/common.yml
index 2fb7cb57dc8..ee3c741a010 100644
--- a/src/mongo/gotools/common.yml
+++ b/src/mongo/gotools/common.yml
@@ -11,14 +11,14 @@ mongo_tools_variables:
 
 ## List of tests to run on each buildvariant
   mongo_tools_task_lists:
-    osx_1010_task_list: &osx_1010_tasks
+    mac_1012_task_list: &macos_1012_tasks
       - name: db
       - name: dist
       - name: integration
       - name: integration-auth
-      - name: legacy28
-      - name: legacy26
-      - name: legacy24
+      - name: legacy30
+#      No SSL on 2.6 for osx
+#      - name: legacy26
       - name: qa-tests
       - name: qa-dump-restore-archiving
       - name: qa-dump-restore-gzip
@@ -31,32 +31,22 @@ mongo_tools_variables:
 #      - name: replay-sharded_test
 #      - name: replay-repl_test
 #      - name: replay-replay_test
-    osx_1010_ssl_task_list: &osx_1010_ssl_tasks
+    macos_1012_ssl_task_list: &macos_1012_ssl_tasks
       - name: dist
       - name: qa-tests
       - name: native-cert-ssl
-    solaris_task_list: &solaris_tasks
-      - name: db
-      - name: dist
-      - name: integration
-      - name: integration-auth
-      - name: legacy28
-      - name: legacy26
-      - name: legacy24
-    ubuntu1204_task_list: &ubuntu1204_tasks
+      - name: unit
+    ubuntu1404_task_list: &ubuntu1404_tasks
       - name: db
       - name: dist
       - name: integration
       - name: integration-auth
-      - name: legacy28
-      - name: legacy28-wt
+      - name: legacy30
       - name: lint-go
       - name: lint-js
       - name: qa-tests
-      - name: qa-tests-unstable
       - name: qa-dump-restore-archiving
       - name: qa-dump-restore-gzip
-      - name: qa-tests-wt
       - name: unit
       - name: vet
       - name: replay-dist
@@ -66,23 +56,21 @@ mongo_tools_variables:
       - name: replay-sharded_test
       - name: replay-repl_test
       - name: replay-replay_test
-    ubuntu1204_ssl_task_list: &ubuntu1204_ssl_tasks
+    ubuntu1404_ssl_task_list: &ubuntu1404_ssl_tasks
       - name: dist
       - name: integration
       - name: integration-auth
-      - name: legacy28
+      - name: legacy30
       - name: qa-tests
-      - name: qa-tests-unstable
       - name: native-cert-ssl
-    ubuntu1204_enterprise_task_list: &ubuntu1204_enterprise_tasks
+    ubuntu1404_enterprise_task_list: &ubuntu1404_enterprise_tasks
       - name: db
       - name: dist
       - name: integration
       - name: integration-auth
       - name: kerberos
-      - name: legacy28
+      - name: legacy30
       - name: legacy26
-      - name: legacy24
       - name: qa-tests
       - name: native-cert-ssl
       - name: replay-dist
@@ -92,17 +80,14 @@ mongo_tools_variables:
       - name: replay-sharded_test
       - name: replay-repl_test
       - name: replay-replay_test
-    ubuntu1204_race_task_list: &ubuntu1204_race_tasks
+    ubuntu1404_race_task_list: &ubuntu1404_race_tasks
       - name: db
       - name: dist
       - name: integration
       - name: integration-auth
-      - name: legacy28
-      - name: legacy28-wt
+      - name: legacy30
       - name: legacy26
-      - name: legacy24
       - name: qa-tests
-      - name: qa-tests-wt
       - name: unit
       - name: replay-dist
       - name: replay-sanity_check
@@ -118,30 +103,24 @@ mongo_tools_variables:
       - name: dist
       - name: integration
       - name: integration-auth
-      - name: legacy28
+      - name: legacy30
         distros:
         - windows-64-vs2013-test
       - name: legacy26
         distros:
         - windows-64-vs2013-test
-      - name: legacy24
-        distros:
-        - windows-64-vs2013-test
       - name: unit
     windows_64_task_list: &windows_64_tasks
       - name: db
       - name: dist
       - name: integration
       - name: integration-auth
-      - name: legacy28
+      - name: legacy30
         distros:
         - windows-64-vs2013-test
       - name: legacy26
         distros:
         - windows-64-vs2013-test
-      - name: legacy24
-        distros:
-        - windows-64-vs2013-test
       - name: qa-tests
         distros:
         - windows-64-vs2013-test
@@ -156,16 +135,17 @@ mongo_tools_variables:
       - name: dist
       - name: integration
       - name: integration-auth
-      - name: legacy28
+      - name: legacy30
       - name: qa-tests
       - name: native-cert-ssl
+      - name: unit
     windows_64_enterprise_task_list: &windows_64_enterprise_tasks
       - name: db
       - name: dist
       - name: integration
       - name: integration-auth
       - name: kerberos
-      - name: legacy28
+      - name: legacy30
         distros:
         - windows-64-vs2013-test
       - name: qa-tests
@@ -182,8 +162,6 @@ mongo_tools_variables:
       - name: qa-dump-restore-archiving
       - name: qa-dump-restore-gzip
       - name: qa-tests
-      - name: qa-tests-unstable
-      - name: qa-tests-wt
       - name: native-cert-ssl
 # disabled until BUILD-2273 is done
 #      - name: replay-dist
@@ -201,8 +179,6 @@ mongo_tools_variables:
       - name: kerberos
       - name: qa-dump-restore-archiving
       - name: qa-dump-restore-gzip
-      - name: qa-tests-unstable
-      - name: qa-tests-wt
       - name: native-cert-ssl
 # disabled until BUILD-2273 is done
 #      - name: replay-dist
@@ -219,8 +195,6 @@ mongo_tools_variables:
       - name: integration-auth
       - name: qa-dump-restore-archiving
       - name: qa-dump-restore-gzip
-      - name: qa-tests-unstable
-      - name: qa-tests-wt
       - name: native-cert-ssl
 
 
@@ -275,7 +249,7 @@ functions:
         rm -rf /data/mci/install /data/mci/multiversion
         mkdir -p /data/mci/install /data/mci/multiversion
         if [ "${multiversion_override}" != "skip" ]; then
-          python buildscripts/setup_multiversion_mongodb.py /data/mci/install /data/mci/multiversion ${arch} ${multiversion_override|2.6 2.4} --latest ${smoke_use_ssl} --os="${mongo_os}"
+          python buildscripts/setup_multiversion_mongodb.py /data/mci/install /data/mci/multiversion ${arch} ${multiversion_override|2.6} --latest ${smoke_use_ssl} --os="${mongo_os}"
         fi
         chmod 400 jstests/libs/key*
 
@@ -306,6 +280,8 @@ functions:
         sed -i.bak "s/built-without-git-spec/$(git rev-parse HEAD)/" common/options/options.go
 
         . ./set_gopath.sh
+        ${gorootvars} go version
+        ${gorootvars} env | grep ^GO
         ${gorootvars} go build ${args} -tags "failpoints ${build_tags}" -o bin/${tool} ${tool}/main/${tool}.go
         ./bin/${tool} --version
 
@@ -442,10 +418,11 @@ functions:
         fi;
         . ./set_gopath.sh
 
+        cwd=$(pwd)
         # run unit tests under common package
-        for i in archive bsonutil failpoint intents json log options progress text util; do
-            cd common/$i
-            COMMON_SUBPKG=$i
+        for i in archive bsonutil db/tlsgo failpoint intents json log options progress text util; do
+            cd $cwd/common/$i
+            COMMON_SUBPKG=$(basename $i)
             COVERAGE_ARGS=""
             if [ "${run_coverage}" ]; then
                 COVERAGE_ARGS="-coverprofile=coverage_$COMMON_SUBPKG.out"
@@ -456,13 +433,12 @@ functions:
                 export exitcode=1
             fi
             cat $COMMON_SUBPKG.suite
-            cp $COMMON_SUBPKG.suite ../../
-            cd ../..
+            cp $COMMON_SUBPKG.suite $cwd
         done
 
         #TODO mongotop needs a test
         for i in mongoimport mongoexport mongostat mongooplog mongorestore mongodump mongofiles; do
-            cd $i
+            cd $cwd/$i
             COVERAGE_ARGS=""
             if [ "${run_coverage}" ]; then
                 COVERAGE_ARGS="-coverprofile=coverage_$i.out"
@@ -473,8 +449,7 @@ functions:
                 export exitcode=1
             fi
             cat $i.suite
-            cp $i.suite ../.
-            cd ..
+            cp $i.suite $cwd
         done
         exit $exitcode
 
@@ -965,7 +940,7 @@ tasks:
     - func: "setup integration test"
     - func: "run tool integration tests"
 
-- name: legacy28
+- name: legacy30
   depends_on:
   - name: dist
   commands:
@@ -998,45 +973,9 @@ tasks:
         tool: mongofiles
     - func: "run legacy tests"
       vars:
-        test_path: "test/legacy28"
+        test_path: "test/legacy30"
         smoke_args: "--authMechanism SCRAM-SHA-1"
 
-- name: legacy28-wt
-  depends_on:
-  - name: dist
-  commands:
-    - func: "fetch source"
-    - func: "get buildnumber"
-    - func: "setup credentials"
-    - func: "download mongod"
-      vars:
-        mongo_version: "3.0"
-    - func: "fetch tool"
-      vars:
-        tool: mongoimport
-    - func: "fetch tool"
-      vars:
-        tool: mongoexport
-    - func: "fetch tool"
-      vars:
-        tool: mongodump
-    - func: "fetch tool"
-      vars:
-        tool: mongostat
-    - func: "fetch tool"
-      vars:
-        tool: mongorestore
-    - func: "fetch tool"
-      vars:
-        tool: mongooplog
-    - func: "fetch tool"
-      vars:
-        tool: mongofiles
-    - func: "run legacy tests"
-      vars:
-        test_path: "test/legacy28"
-        smoke_args: "--authMechanism SCRAM-SHA-1 --storageEngine=wiredTiger"
-
 - name: legacy26
   depends_on:
   - name: dist
@@ -1073,46 +1012,6 @@ tasks:
         test_path: "test/legacy26"
         smoke_use_ssl: ""
 
-- name: legacy24
-  depends_on:
-  - name: dist
-  commands:
-    - func: "fetch source"
-    - func: "get buildnumber"
-    - func: "setup credentials"
-    - func: "download mongod"
-      vars:
-        mongo_version: "2.4"
-    - func: "download mongod"
-      vars:
-        mongo_version: "2.6"
-        only_shell: true
-    - func: "fetch tool"
-      vars:
-        tool: mongoimport
-    - func: "fetch tool"
-      vars:
-        tool: mongoexport
-    - func: "fetch tool"
-      vars:
-        tool: mongodump
-    - func: "fetch tool"
-      vars:
-        tool: mongostat
-    - func: "fetch tool"
-      vars:
-        tool: mongorestore
-    - func: "fetch tool"
-      vars:
-        tool: mongooplog
-    - func: "fetch tool"
-      vars:
-        tool: mongofiles
-    - func: "run legacy tests"
-      vars:
-        test_path: "test/legacy24"
-        smoke_use_ssl: ""
-
 - name: lint-go
   commands:
     - func: "fetch source"
@@ -1142,47 +1041,6 @@ tasks:
           /opt/node/bin/npm install eslint@3.2
           /opt/node/bin/node node_modules/eslint/bin/eslint.js test/qa-tests/jstests/**/*.js
 
-- name: qa-tests-unstable
-  depends_on:
-  - name: dist
-  commands:
-    - func: "fetch source"
-    - func: "get buildnumber"
-    - func: "setup credentials"
-    - func: "download mongod"
-      vars:
-        mongo_version: "latest"
-    - func: "fetch tool"
-      vars:
-        tool: mongoimport
-    - func: "fetch tool"
-      vars:
-        tool: mongoexport
-    - func: "fetch tool"
-      vars:
-        tool: mongodump
-    - func: "fetch tool"
-      vars:
-        tool: mongorestore
-    - func: "fetch tool"
-      vars:
-        tool: mongostat
-    - func: "fetch tool"
-      vars:
-        tool: mongotop
-    - func: "fetch tool"
-      vars:
-        tool: mongooplog
-    - func: "fetch tool"
-      vars:
-        tool: mongofiles
-    - func: "fetch tool"
-      vars:
-        tool: bsondump
-    - func: "run qa-tests"
-      vars:
-        resmoke_suite: "core${resmoke_use_ssl}"
-
 - name: qa-tests
   depends_on:
   - name: dist
@@ -1320,49 +1178,6 @@ tasks:
         resmoke_suite: "restore_gzip"
         excludes: "requires_unstable,${excludes}"
 
-- name: qa-tests-wt
-  depends_on:
-  - name: dist
-  commands:
-    - func: "fetch source"
-    - func: "get buildnumber"
-    - func: "setup credentials"
-    - func: "download mongod"
-      vars:
-        mongo_version: "3.4"
-    - func: "fetch tool"
-      vars:
-        tool: mongoimport
-    - func: "fetch tool"
-      vars:
-        tool: mongoexport
-    - func: "fetch tool"
-      vars:
-        tool: mongodump
-    - func: "fetch tool"
-      vars:
-        tool: mongorestore
-    - func: "fetch tool"
-      vars:
-        tool: mongostat
-    - func: "fetch tool"
-      vars:
-        tool: mongotop
-    - func: "fetch tool"
-      vars:
-        tool: mongooplog
-    - func: "fetch tool"
-      vars:
-        tool: mongofiles
-    - func: "fetch tool"
-      vars:
-        tool: bsondump
-    - func: "run qa-tests"
-      vars:
-        resmoke_suite: "core"
-        resmoke_args: "--storageEngine=wiredTiger ${resmoke_args}"
-        excludes: "requires_unstable,${excludes}"
-
 - name: unit
   commands:
     - command: expansions.update
@@ -1608,83 +1423,174 @@ tasks:
   - func: "upload timeseries"
 
 buildvariants:
+
+#######################################
+#     Amazon Buildvariants            #
+#######################################
+
+- name: amazonlinux64
+  display_name: Amazon Linux 64 (Go 1.8)
+  run_on:
+  - linux-64-amzn-test
+  expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+- name: amazon2
+  display_name: Amazon Linux 64 v2 (Go 1.8)
+  run_on:
+  - amazon2-test
+  expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
 #######################################
-#           OSX Buildvariant          #
+#     Debian Buildvariants            #
 #######################################
-- name: osx-1010
-  display_name: OSX 10.10 64-bit
+
+- name: debian71
+  display_name: Debian 7.1 (Go 1.8)
   run_on:
-  - osx-1010
+  - debian71-test
+  expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+- name: debian81
+  display_name: Debian 8.1 (Go 1.8)
+  run_on:
+  - debian81-test
+  expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+#######################################
+#           macOS Buildvariant        #
+#######################################
+
+- name: macOS-1012
+  display_name: MacOS 10.12 (Go 1.8)
+  run_on:
+  - macos-1012
   expansions:
     <<: *mongod_default_startup_args
     <<: *mongo_default_startup_args
     mongo_os: "osx"
     arch: "osx/x86_64"
-    build_tags: "ssl"
     excludes: requires_many_files
-  tasks: *osx_1010_tasks
+    gorootvars: 'PATH="/usr/local/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/usr/local/go1.8/go'
+  tasks: *macos_1012_tasks
 
-- name: osx-1010-ssl
-  display_name: OSX 10.10 64-bit SSL
+- name: macOS-1012-ssl
+  display_name: MacOS 10.12 SSL (Go 1.8)
   run_on:
-  - osx-1010
+  - macos-1012
   expansions:
     <<: *mongod_ssl_startup_args
     <<: *mongo_ssl_startup_args
     mongo_os: "osx"
     mongo_target: "osx-ssl"
     arch: "osx/x86_64"
-    build_tags: "ssl"
-    edition: ssl
+    build_tags: "ssl openssl_pre_1.0"
     excludes: requires_many_files
-  tasks: *osx_1010_ssl_tasks
+    gorootvars: 'PATH="/usr/local/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/usr/local/go1.8/go'
+  tasks: *macos_1012_ssl_tasks
+
+#######################################
+#     RHEL Buildvariants              #
+#######################################
+
+- name: rhel62
+  display_name: RHEL 6.2 (Go 1.8)
+  run_on:
+  - rhel62-test
+  expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+- name: rhel70
+  display_name: RHEL 7.0 (Go 1.8)
+  run_on:
+  - rhel70
+  expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
+
+#######################################
+#     SUSE Buildvariants              #
+#######################################
+
+- name: suse12
+  display_name: SUSE 12 (Go 1.8)
+  run_on:
+  - suse12-test
+  expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
+  tasks:
+  - name: dist
 
 #######################################
 #          Ubuntu Buildvariants       #
 #######################################
 
-- name: ubuntu
-  display_name: Linux 64-bit
+- name: ubuntu1404
+  display_name: Ubuntu 14.04 (Go 1.8)
   run_on:
-  - ubuntu1204-test
+  - ubuntu1404-test
   expansions:
     <<: *mongod_default_startup_args
     <<: *mongo_default_startup_args
-    mongo_os: "ubuntu1204"
+    mongo_os: "ubuntu1404"
     mongo_edition: "targeted"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
     build_tags: "ssl"
     arch: "linux/x86_64"
     integration_test_args: integration
     resmoke_args: --jobs $(grep -c ^processor /proc/cpuinfo)
-  tasks: *ubuntu1204_tasks
+  tasks: *ubuntu1404_tasks
 
-- name: ubuntu-ssl
-  display_name: Linux 64-bit SSL
+- name: ubuntu1404-ssl
+  display_name: Ubuntu 14.04 SSL (Go 1.8)
   run_on:
-  - ubuntu1204-test
+  - ubuntu1404-test
   expansions:
     <<: *mongod_ssl_startup_args
     <<: *mongo_ssl_startup_args
-    mongo_os: "ubuntu1204"
+    mongo_os: "ubuntu1404"
     mongo_edition: "enterprise"
-    build_tags: "ssl"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "sasl ssl"
     edition: ssl
     arch: "linux/x86_64"
     smoke_use_ssl: --use-ssl
     resmoke_use_ssl: _ssl
     resmoke_args: --jobs $(grep -c ^processor /proc/cpuinfo)
     integration_test_args: "integration,ssl"
-  tasks: *ubuntu1204_ssl_tasks
+  tasks: *ubuntu1404_ssl_tasks
 
 - name: ubuntu-enterprise
-  display_name: Linux 64-bit Enterprise
+  display_name: Ubuntu 14.04 Enterprise (Go 1.8)
   run_on:
-  - ubuntu1204-test
+  - ubuntu1404-test
   expansions:
     <<: *mongod_default_startup_args
     <<: *mongo_default_startup_args
-    mongo_os: "ubuntu1204"
+    mongo_os: "ubuntu1404"
     mongo_edition: "enterprise"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
     build_tags: "ssl sasl"
     smoke_use_ssl: --use-ssl
     resmoke_use_ssl: _ssl
@@ -1693,100 +1599,24 @@ buildvariants:
     run_kinit: true
     integration_test_args: integration
     resmoke_args: --jobs $(grep -c ^processor /proc/cpuinfo)
-  tasks: *ubuntu1204_enterprise_tasks
+  tasks: *ubuntu1404_enterprise_tasks
 
-- name: rhel71-ppc64le-enterprise
-  display_name: Linux PPC64LE RHEL 7.1 Enterprise
+- name: ubuntu1604
+  display_name: Ubuntu 16.04 (Go 1.8)
   run_on:
-  - rhel71-power8-test
+  - ubuntu1604-test
   expansions:
-    <<: *mongod_default_startup_args
-    <<: *mongo_default_startup_args
-    mongo_os: "rhel71"
-    mongo_edition: "enterprise"
-    mongo_arch: "ppc64le"
-    # RHEL 7.1 PPC64LE machines kerberos setup does not work for mongo-tools
-    #args: ... libsasl2; build_tags "sasl ssl"
-    args: -gccgoflags "$(pkg-config --libs --cflags libssl)"
-    build_tags: 'ssl'
-    resmoke_use_ssl: _ssl
-    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
-    resmoke_args: -j 4
-    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
-    multiversion_override: "skip"
-    arch: "linux/ppc64le"
-    edition: enterprise
-    run_kinit: true
-    integration_test_args: integration
-  tasks: *rhel71_enterprise_tasks
-
-- name: rhel72-s390x-enterprise
-  display_name: Linux s390x RHEL 7.2 Enterprise
-  run_on:
-  - rhel72-zseries-test
-  expansions:
-    <<: *mongod_default_startup_args
-    <<: *mongo_default_startup_args
-    mongo_os: "rhel72"
-    mongo_edition: "enterprise"
-    mongo_arch: "s390x"
-    args: -gccgoflags "$(pkg-config --libs --cflags libssl libsasl2)"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
     build_tags: "sasl ssl"
-    resmoke_use_ssl: _ssl
-    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
-    excludes: requires_mmap_available,requires_mongo_24,requires_mongo_26,requires_mongo_30
-    resmoke_args: -j 2
-    multiversion_override: "skip"
-    arch: "linux/s390x"
-    edition: enterprise
-    run_kinit: true
-    integration_test_args: integration
-  tasks: *rhel72_enterprise_tasks
-
-- name: ubuntu1604-arm64
-  display_name: Linux ARM64 Ubuntu 16.04 SSL
-  run_on:
-  - ubuntu1604-arm64-small
-  expansions:
-    <<: *mongod_default_startup_args
-    <<: *mongo_default_startup_args
-    mongo_os: "ubuntu1604"
-    mongo_edition: "targeted"
-    mongo_arch: "arm64"
-    args: -gccgoflags "$(pkg-config --libs --cflags libcrypto libssl)"
-    build_tags: "ssl"
-    resmoke_use_ssl: _ssl
-    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
-    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
-    resmoke_args: -j 2
-    multiversion_override: "skip"
-    arch: "linux/arm64"
-    edition: ssl
-    integration_test_args: integration
-  tasks: *ubuntu1604_ssl_tasks
-
-#######################################
-#         Solaris Buildvariant        #
-#######################################
-- name: solaris
-  display_name: Solaris 64-bit
-  run_on:
-  - solaris
-  expansions:
-    <<: *mongod_default_startup_args
-    <<: *mongo_default_startup_args
-    mongo_os: "sunos5"
-    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
-    args: -gccgoflags "-lsocket -lnsl"
-    excludes: requires_large_ram
-    resmoke_args: -j$(kstat cpu | sort -u | grep -c "^module")
-  tasks: *solaris_tasks
+  tasks:
+  - name: dist
 
 #######################################
 #        Windows Buildvariants        #
 #######################################
+
 - name: windows-64
-  display_name: Windows 64-bit
+  display_name: Windows 64-bit (Go 1.8)
   run_on:
   - windows-64-vs2013-test
   expansions:
@@ -1799,10 +1629,11 @@ buildvariants:
     arch: "win32/x86_64"
     preproc_gpm: "perl -pi -e 's/\\r\\n/\\n/g' "
     integration_test_args: "integration"
+    gorootvars: 'PATH="/cygdrive/c/go1.8/go/bin:/cygdrive/c/mingw-w64/x86_64-4.9.1-posix-seh-rt_v3-rev1/mingw64/bin:$PATH" GOROOT="c:/go1.8/go"'
   tasks: *windows_64_tasks
 
 - name: windows-64-ssl
-  display_name: Windows 64-bit SSL
+  display_name: Windows 64-bit SSL (Go 1.8)
   run_on:
   - windows-64-vs2013-compile
   expansions:
@@ -1818,13 +1649,13 @@ buildvariants:
     multiversion_override: "2.6"
     extension: .exe
     arch: "win32/x86_64"
-    gorootvars: PATH="/cygdrive/c/mingw-w64/x86_64-4.9.1-posix-seh-rt_v3-rev1/mingw64/bin:/cygdrive/c/sasl/:$PATH"
+    gorootvars: 'PATH="/cygdrive/c/go1.8/go/bin:/cygdrive/c/mingw-w64/x86_64-4.9.1-posix-seh-rt_v3-rev1/mingw64/bin:$PATH" GOROOT="c:/go1.8/go"'
     preproc_gpm: "perl -pi -e 's/\\r\\n/\\n/g' "
     integration_test_args: "integration,ssl"
   tasks: *windows_64_ssl_tasks
 
 - name: windows-64-enterprise
-  display_name: Windows 64-bit Enterprise
+  display_name: Windows 64-bit Enterprise (Go 1.8)
   run_on:
   - windows-64-vs2013-compile
   expansions:
@@ -1841,90 +1672,165 @@ buildvariants:
     edition: enterprise
     extension: .exe
     arch: "win32/x86_64"
-    gorootvars: PATH="/cygdrive/c/mingw-w64/x86_64-4.9.1-posix-seh-rt_v3-rev1/mingw64/bin:/cygdrive/c/sasl/:$PATH"
+    gorootvars: 'PATH="/cygdrive/c/go1.8/go/bin:/cygdrive/c/mingw-w64/x86_64-4.9.1-posix-seh-rt_v3-rev1/mingw64/bin:$PATH" GOROOT="c:/go1.8/go"'
     preproc_gpm: "perl -pi -e 's/\\r\\n/\\n/g' "
     integration_test_args: "integration"
   tasks: *windows_64_enterprise_tasks
 
 #######################################
-#     Experimental Buildvariants      #
+#        ARM Buildvariants            #
 #######################################
 
-- name: ubuntu-race
-  stepback: false
-  batchtime: 1440 # daily
-  display_name: z Race Detector Linux 64-bit
+- name: ubuntu1604-arm64
+  display_name: ZAP ARM64 Ubuntu 16.04 SSL (gccgo 1.4)
   run_on:
-  - ubuntu1204-test
+  - ubuntu1604-arm64-small
+  stepback: false
+  batchtime: 10080 # weekly
   expansions:
     <<: *mongod_default_startup_args
     <<: *mongo_default_startup_args
-    mongo_os: "ubuntu1204"
-    mongo_edition: "enterprise"
+    mongo_os: "ubuntu1604"
+    mongo_edition: "targeted"
+    mongo_arch: "arm64"
+    args: -gccgoflags "$(pkg-config --libs --cflags libcrypto libssl)"
     build_tags: "ssl"
-    arch: "linux/x86_64"
-    args: "-race"
-    excludes: requires_large_ram
+    resmoke_use_ssl: _ssl
+    gorootvars: PATH="/opt/mongodbtoolchain/v2/bin/:$PATH"
+    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
+    resmoke_args: -j 2
+    multiversion_override: "skip"
+    arch: "linux/arm64"
+    edition: ssl
     integration_test_args: integration
-  tasks: *ubuntu1204_race_tasks
+  tasks: *ubuntu1604_ssl_tasks
 
 #######################################
-#     Dist only Buildvariants         #
+#        Power Buildvariants          #
 #######################################
 
-- name: suse11
-  display_name: SUSE 11 SSL
+- name: rhel71-ppc64le-enterprise
+  display_name: ZAP PPC64LE RHEL 7.1 Enterprise (Go 1.8)
   run_on:
-  - suse11-test
+  - rhel71-power8-test
+  stepback: false
+  batchtime: 10080 # weekly
   expansions:
-    build_tags: "sasl ssl"
-  tasks:
-  - name: dist
+    <<: *mongod_default_startup_args
+    <<: *mongo_default_startup_args
+    mongo_os: "rhel71"
+    mongo_edition: "enterprise"
+    mongo_arch: "ppc64le"
+    # RHEL 7.1 PPC64LE machines kerberos setup does not work for mongo-tools
+    #args: ... libsasl2; build_tags "sasl ssl"
+    build_tags: 'ssl'
+    resmoke_use_ssl: _ssl
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go CC=/opt/mongodbtoolchain/v2/bin/ppc64le-mongodb-linux-gcc'
+    resmoke_args: -j 4
+    excludes: requires_mmap_available,requires_large_ram,requires_mongo_24,requires_mongo_26,requires_mongo_30
+    multiversion_override: "skip"
+    arch: "linux/ppc64le"
+    edition: enterprise
+    run_kinit: true
+    integration_test_args: integration
+  tasks: *rhel71_enterprise_tasks
 
-- name: suse12
-  display_name: SUSE 12 SSL
+- name: ubuntu1604-ppc64le-enterprise
+  display_name: ZAP PPC64LE Ubuntu 16.04 Enterprise (Go 1.8)
   run_on:
-  - suse12-test
+  - ubuntu1604-power8-test
+  stepback: false
+  batchtime: 10080 # weekly
   expansions:
-    build_tags: "sasl ssl"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go CC=/opt/mongodbtoolchain/v2/bin/ppc64le-mongodb-linux-gcc'
+    build_tags: 'ssl'
   tasks:
   - name: dist
 
-- name: rhel62
-  display_name: RHEL 6.2 SSL
+#######################################
+#     Z (s390x) Buildvariants         #
+#######################################
+
+- name: rhel67-s390x-enterprise
+  display_name: ZAP s390x RHEL 6.7 Enterprise (Go 1.8)
   run_on:
-  - rhel62-test
+  - rhel67-zseries-test
+  stepback: false
+  batchtime: 10080 # weekly
   expansions:
-    gorootvars: PATH="/opt/go/bin:$PATH"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go CC=/opt/mongodbtoolchain/v2/bin/s390x-mongodb-linux-gcc'
     build_tags: "sasl ssl"
   tasks:
   - name: dist
 
-- name: rhel70
-  display_name: RHEL 7.0 SSL
+- name: rhel72-s390x-enterprise
+  display_name: ZAP s390x RHEL 7.2 Enterprise (Go 1.8)
   run_on:
-  - rhel70
+  - rhel72-zseries-test
+  stepback: false
+  batchtime: 10080 # weekly
   expansions:
-    gorootvars: PATH="/opt/go/bin:$PATH"
+    <<: *mongod_default_startup_args
+    <<: *mongo_default_startup_args
+    mongo_os: "rhel72"
+    mongo_edition: "enterprise"
+    mongo_arch: "s390x"
     build_tags: "sasl ssl"
-  tasks:
-  - name: dist
+    resmoke_use_ssl: _ssl
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go CC=/opt/mongodbtoolchain/v2/bin/s390x-mongodb-linux-gcc'
+    excludes: requires_mmap_available,requires_mongo_24,requires_mongo_26,requires_mongo_30
+    resmoke_args: -j 2
+    multiversion_override: "skip"
+    arch: "linux/s390x"
+    edition: enterprise
+    run_kinit: true
+    integration_test_args: integration
+  tasks: *rhel72_enterprise_tasks
 
-- name: ubuntu1404
-  display_name: Ubuntu 14.04 SSL
+- name: suse12-s390x-enterprise
+  display_name: ZAP s390x SUSE 12 Enterprise (Go 1.8)
   run_on:
-  - ubuntu1404-test
+  - suse12-zseries-test
+  stepback: false
+  batchtime: 10080 # weekly
   expansions:
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go CC=/opt/mongodbtoolchain/v2/bin/s390x-mongodb-linux-gcc'
     build_tags: "sasl ssl"
   tasks:
   - name: dist
 
-- name: debian71
-  display_name: Debian 7.1 SSL
+- name: ubuntu1604-s390x-enterprise
+  display_name: ZAP s390x Ubuntu 16.04 Enterprise (Go 1.8)
   run_on:
-  - debian71-test
+  - ubuntu1604-zseries-small
+  stepback: false
+  batchtime: 10080 # weekly
   expansions:
-    gorootvars: PATH="/opt/go/bin:$PATH"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go CC=/opt/mongodbtoolchain/v2/bin/s390x-mongodb-linux-gcc'
     build_tags: "sasl ssl"
   tasks:
   - name: dist
+
+#######################################
+#     Experimental Buildvariants      #
+#######################################
+
+- name: ubuntu-race
+  stepback: false
+  batchtime: 1440 # daily
+  display_name: z Race Detector Ubuntu 14.04 (Go 1.8)
+  run_on:
+  - ubuntu1404-test
+  expansions:
+    <<: *mongod_default_startup_args
+    <<: *mongo_default_startup_args
+    mongo_os: "ubuntu1404"
+    mongo_edition: "enterprise"
+    gorootvars: 'PATH="/opt/go1.8/go/bin:/opt/mongodbtoolchain/v2/bin/:$PATH" GOROOT=/opt/go1.8/go'
+    build_tags: "ssl"
+    arch: "linux/x86_64"
+    args: "-race"
+    excludes: requires_large_ram
+    integration_test_args: integration
+  tasks: *ubuntu1404_race_tasks
+
diff --git a/src/mongo/gotools/common/db/connector.go b/src/mongo/gotools/common/db/connector.go
index 87b6a830fc9..2070f053e87 100644
--- a/src/mongo/gotools/common/db/connector.go
+++ b/src/mongo/gotools/common/db/connector.go
@@ -1,6 +1,7 @@
 package db
 
 import (
+	"net"
 	"time"
 
 	"github.com/mongodb/mongo-tools/common/db/kerberos"
@@ -28,11 +29,25 @@ type VanillaDBConnector struct {
 // dial timeout.
 func (self *VanillaDBConnector) Configure(opts options.ToolOptions) error {
 	timeout := time.Duration(opts.Timeout) * time.Second
+	// create the dialer func that will be used to connect
+	dialer := func(addr *mgo.ServerAddr) (net.Conn, error) {
+		conn, err := net.DialTimeout("tcp", addr.String(), timeout)
+		if err != nil {
+			return nil, err
+		}
+		// enable TCP keepalive
+		err = util.EnableTCPKeepAlive(conn, time.Duration(opts.TCPKeepAliveSeconds)*time.Second)
+		if err != nil {
+			return nil, err
+		}
+		return conn, nil
+	}
 
 	// set up the dial info
 	self.dialInfo = &mgo.DialInfo{
 		Direct:         opts.Direct,
 		ReplicaSetName: opts.ReplicaSetName,
+		DialServer:     dialer,
 		Username:       opts.Auth.Username,
 		Password:       opts.Auth.Password,
 		Source:         opts.GetAuthenticationDatabase(),
diff --git a/src/mongo/gotools/common/db/db_ssl.go b/src/mongo/gotools/common/db/db_openssl.go
index 68d3850b525..2a7106a068e 100644
--- a/src/mongo/gotools/common/db/db_ssl.go
+++ b/src/mongo/gotools/common/db/db_openssl.go
@@ -1,4 +1,10 @@
-// +build ssl
+// Copyright (C) MongoDB, Inc. 2014-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+// +build ssl,!openssl_pre_1.0
 
 package db
 
diff --git a/src/mongo/gotools/common/db/db_tlsgo.go b/src/mongo/gotools/common/db/db_tlsgo.go
new file mode 100644
index 00000000000..6fa04a11a60
--- /dev/null
+++ b/src/mongo/gotools/common/db/db_tlsgo.go
@@ -0,0 +1,26 @@
+// Copyright (C) MongoDB, Inc. 2014-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+// +build ssl,openssl_pre_1.0
+
+package db
+
+import (
+	"github.com/mongodb/mongo-tools/common/db/tlsgo"
+	"github.com/mongodb/mongo-tools/common/options"
+)
+
+func init() {
+	GetConnectorFuncs = append(GetConnectorFuncs, getSSLConnector)
+}
+
+// return the SSL DB connector if using SSL, otherwise, return nil.
+func getSSLConnector(opts options.ToolOptions) DBConnector {
+	if opts.SSL.UseSSL {
+		return &tlsgo.TLSDBConnector{}
+	}
+	return nil
+}
diff --git a/src/mongo/gotools/common/db/openssl/openssl.go b/src/mongo/gotools/common/db/openssl/openssl.go
index d938cf5d532..1d4a1b3b86b 100644
--- a/src/mongo/gotools/common/db/openssl/openssl.go
+++ b/src/mongo/gotools/common/db/openssl/openssl.go
@@ -1,3 +1,11 @@
+// Copyright (C) MongoDB, Inc. 2014-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+// +build ssl,!openssl_pre_1.0
+
 // Package openssl implements connection to MongoDB over ssl.
 package openssl
 
@@ -6,10 +14,10 @@ import (
 	"net"
 	"time"
 
+	"github.com/10gen/openssl"
 	"github.com/mongodb/mongo-tools/common/db/kerberos"
 	"github.com/mongodb/mongo-tools/common/options"
 	"github.com/mongodb/mongo-tools/common/util"
-	"github.com/spacemonkeygo/openssl"
 	"gopkg.in/mgo.v2"
 )
 
@@ -40,7 +48,15 @@ func (self *SSLDBConnector) Configure(opts options.ToolOptions) error {
 	dialer := func(addr *mgo.ServerAddr) (net.Conn, error) {
 		conn, err := openssl.Dial("tcp", addr.String(), self.ctx, flags)
 		self.dialError = err
-		return conn, err
+		if err != nil {
+			return nil, err
+		}
+		// enable TCP keepalive
+		err = util.EnableTCPKeepAlive(conn.UnderlyingConn(), time.Duration(opts.TCPKeepAliveSeconds)*time.Second)
+		if err != nil {
+			return nil, err
+		}
+		return conn, nil
 	}
 
 	timeout := time.Duration(opts.Timeout) * time.Second
diff --git a/src/mongo/gotools/common/db/openssl/openssl_fips.go b/src/mongo/gotools/common/db/openssl/openssl_fips.go
index 2c4705e23ff..ded8515f397 100644
--- a/src/mongo/gotools/common/db/openssl/openssl_fips.go
+++ b/src/mongo/gotools/common/db/openssl/openssl_fips.go
@@ -1,13 +1,23 @@
-// +build ssl
-// +build -darwin
+// Copyright (C) MongoDB, Inc. 2014-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+// +build ssl,!openssl_pre_1.0
 
 package openssl
 
-import "github.com/spacemonkeygo/openssl"
+import (
+	"fmt"
+
+	"github.com/10gen/openssl"
+	"github.com/mongodb/mongo-tools/common/options"
+)
 
 func init() { sslInitializationFunctions = append(sslInitializationFunctions, SetUpFIPSMode) }
 
-func SetUpFIPSMode(opts *ToolOptions) error {
+func SetUpFIPSMode(opts options.ToolOptions) error {
 	if err := openssl.FIPSModeSet(opts.SSLFipsMode); err != nil {
 		return fmt.Errorf("couldn't set FIPS mode to %v: %v", opts.SSLFipsMode, err)
 	}
diff --git a/src/mongo/gotools/common/db/tlsgo/config.go b/src/mongo/gotools/common/db/tlsgo/config.go
new file mode 100644
index 00000000000..8d3971b537b
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/config.go
@@ -0,0 +1,246 @@
+// Copyright (C) MongoDB, Inc. 2018-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+// This file contains code adapted from the MongoDB Go Driver.
+
+// Package tlsgo provides a mgo connection using Go's native TLS library.
+package tlsgo
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"encoding/asn1"
+	"encoding/hex"
+	"encoding/pem"
+	"fmt"
+	"io/ioutil"
+	"strings"
+)
+
+// TLSConfig contains options for configuring an SSL connection to the server.
+type TLSConfig struct {
+	caCert     *x509.Certificate
+	clientCert *tls.Certificate
+	insecure   bool
+}
+
+// NewTLSConfig creates a new TLSConfig.
+func NewTLSConfig() *TLSConfig {
+	cfg := &TLSConfig{}
+
+	return cfg
+}
+
+// SetInsecure sets whether the client should verify the server's certificate chain and hostnames.
+func (c *TLSConfig) SetInsecure(allow bool) {
+	c.insecure = allow
+}
+
+// AddClientCertFromFile adds a client certificate to the configuration given a path to the
+// containing file and returns the certificate's subject name.
+func (c *TLSConfig) AddClientCertFromFile(clientFile, password string) (string, error) {
+	data, err := ioutil.ReadFile(clientFile)
+	if err != nil {
+		return "", err
+	}
+
+	certPEM, err := loadPEMBlock(data, "CERTIFICATE")
+	if err != nil {
+		return "", err
+	}
+
+	keyPEM, err := loadPEMBlock(data, "PRIVATE KEY")
+	if err != nil {
+		return "", err
+	}
+	// This check only covers encrypted PEM data with a DEK-Info header. It
+	// does not detect unencrypted PEM containing PKCS#8 format data with an
+	// encrypted private key.
+	if x509.IsEncryptedPEMBlock(keyPEM) {
+		if password == "" {
+			return "", fmt.Errorf("No password provided to decrypt private key")
+		}
+		decrypted, err := x509.DecryptPEMBlock(keyPEM, []byte(password))
+		if err != nil {
+			return "", err
+		}
+		keyPEM = &pem.Block{Bytes: decrypted, Type: keyPEM.Type}
+	}
+
+	if strings.Contains(keyPEM.Type, "ENCRYPTED") {
+		return "", fmt.Errorf("PKCS#8 encrypted private keys are not supported")
+	}
+
+	cert, err := tls.X509KeyPair(pem.EncodeToMemory(certPEM), pem.EncodeToMemory(keyPEM))
+	if err != nil {
+		return "", err
+	}
+
+	c.clientCert = &cert
+
+	// The documentation for the tls.X509KeyPair indicates that the Leaf
+	// certificate is not retained. Because there isn't any way of creating a
+	// tls.Certificate from an x509.Certificate short of calling X509KeyPair
+	// on the raw bytes, we're forced to parse the certificate over again to
+	// get the subject name.
+	crt, err := x509.ParseCertificate(certPEM.Bytes)
+	if err != nil {
+		return "", err
+	}
+
+	return x509CertSubject(crt), nil
+}
+
+// AddCaCertFromFile adds a root CA certificate to the configuration given a path to the containing file.
+func (c *TLSConfig) AddCaCertFromFile(caFile string) error {
+	data, err := ioutil.ReadFile(caFile)
+	if err != nil {
+		return err
+	}
+
+	certBytes, err := loadCertBytes(data)
+	if err != nil {
+		return err
+	}
+
+	cert, err := x509.ParseCertificate(certBytes)
+	if err != nil {
+		return err
+	}
+
+	c.caCert = cert
+
+	return nil
+}
+
+// MakeConfig constructs a new tls.Config from the configuration specified.
+func (c *TLSConfig) MakeConfig() (*tls.Config, error) {
+	cfg := &tls.Config{}
+
+	if c.clientCert != nil {
+		cfg.Certificates = []tls.Certificate{*c.clientCert}
+	}
+
+	if c.caCert == nil {
+		roots, err := loadSystemCAs()
+		if err != nil {
+			return nil, err
+		}
+		cfg.RootCAs = roots
+	} else {
+		cfg.RootCAs = x509.NewCertPool()
+		cfg.RootCAs.AddCert(c.caCert)
+	}
+
+	cfg.InsecureSkipVerify = c.insecure
+
+	return cfg, nil
+}
+
+func loadCertBytes(data []byte) ([]byte, error) {
+	b, err := loadPEMBlock(data, "CERTIFICATE")
+	if err != nil {
+		return nil, err
+	}
+	return b.Bytes, nil
+}
+
+func loadPEMBlock(data []byte, blocktype string) (*pem.Block, error) {
+	var b *pem.Block
+
+	for b == nil {
+		if data == nil || len(data) == 0 {
+			return nil, fmt.Errorf("no block of type %s found in .pem file", blocktype)
+		}
+
+		block, rest := pem.Decode(data)
+		if block == nil {
+			return nil, fmt.Errorf("invalid .pem file")
+		}
+
+		if strings.Contains(block.Type, blocktype) {
+			if b != nil {
+				return nil, fmt.Errorf("multiple %s sections in .pem file", blocktype)
+			}
+			b = block
+		}
+
+		data = rest
+	}
+
+	return b, nil
+}
+
+// Because the functionality to convert a pkix.Name to a string wasn't added until Go 1.10, we
+// need to copy the implementation (along with the attributeTypeNames map below).
+func x509CertSubject(cert *x509.Certificate) string {
+	r := cert.Subject.ToRDNSequence()
+
+	s := ""
+	for i := 0; i < len(r); i++ {
+		rdn := r[len(r)-1-i]
+		if i > 0 {
+			s += ","
+		}
+		for j, tv := range rdn {
+			if j > 0 {
+				s += "+"
+			}
+
+			oidString := tv.Type.String()
+			typeName, ok := attributeTypeNames[oidString]
+			if !ok {
+				derBytes, err := asn1.Marshal(tv.Value)
+				if err == nil {
+					s += oidString + "=#" + hex.EncodeToString(derBytes)
+					continue // No value escaping necessary.
+				}
+
+				typeName = oidString
+			}
+
+			valueString := fmt.Sprint(tv.Value)
+			escaped := make([]rune, 0, len(valueString))
+
+			for k, c := range valueString {
+				escape := false
+
+				switch c {
+				case ',', '+', '"', '\\', '<', '>', ';':
+					escape = true
+
+				case ' ':
+					escape = k == 0 || k == len(valueString)-1
+
+				case '#':
+					escape = k == 0
+				}
+
+				if escape {
+					escaped = append(escaped, '\\', c)
+				} else {
+					escaped = append(escaped, c)
+				}
+			}
+
+			s += typeName + "=" + string(escaped)
+		}
+	}
+
+	return s
+}
+
+var attributeTypeNames = map[string]string{
+	"2.5.4.6":  "C",
+	"2.5.4.10": "O",
+	"2.5.4.11": "OU",
+	"2.5.4.3":  "CN",
+	"2.5.4.5":  "SERIALNUMBER",
+	"2.5.4.7":  "L",
+	"2.5.4.8":  "ST",
+	"2.5.4.9":  "STREET",
+	"2.5.4.17": "POSTALCODE",
+}
diff --git a/src/mongo/gotools/common/db/tlsgo/config_test.go b/src/mongo/gotools/common/db/tlsgo/config_test.go
new file mode 100644
index 00000000000..7eb09b8643c
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/config_test.go
@@ -0,0 +1,41 @@
+package tlsgo
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestAddClientCert(t *testing.T) {
+	cases := []struct {
+		Path  string
+		Pass  string
+		Valid bool
+	}{
+		{Path: "testdata/pkcs1.pem", Valid: true},
+		{Path: "testdata/pkcs1-rev.pem", Valid: true},
+		{Path: "testdata/pkcs1-encrypted.pem", Pass: "qwerty", Valid: true},
+		{Path: "testdata/pkcs1-encrypted-rev.pem", Pass: "qwerty", Valid: true},
+
+		{Path: "testdata/pkcs8.pem", Valid: true},
+		{Path: "testdata/pkcs8-rev.pem", Valid: true},
+		{Path: "testdata/pkcs8-encrypted.pem", Valid: false},
+		{Path: "testdata/pkcs8-encrypted-rev.pem", Valid: false},
+	}
+
+	for _, v := range cases {
+		tlsc := NewTLSConfig()
+		_, err := tlsc.AddClientCertFromFile(v.Path, v.Pass)
+		switch v.Valid {
+		case true:
+			if err != nil {
+				t.Errorf("Error parsing %s: %s", v.Path, err.Error())
+			}
+		case false:
+			if err == nil {
+				t.Errorf("Expected error parsing %s but parsed OK", v.Path)
+			} else if !strings.Contains(err.Error(), "encrypted private keys are not supported") {
+				t.Errorf("Incorrect error for %s: %s", v.Path, err.Error())
+			}
+		}
+	}
+}
diff --git a/src/mongo/gotools/common/db/tlsgo/rootcerts.go b/src/mongo/gotools/common/db/tlsgo/rootcerts.go
new file mode 100644
index 00000000000..ee3ec3769f1
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/rootcerts.go
@@ -0,0 +1,22 @@
+// Copyright (C) MongoDB, Inc. 2018-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+//
+// Based on https://github.com/hashicorp/go-rootcerts by HashiCorp
+// See THIRD-PARTY-NOTICES for original license terms.
+
+// +build !darwin
+
+package tlsgo
+
+import (
+	"crypto/x509"
+)
+
+// Stubbed for non-darwin systems. By returning nil, the Go library
+// will use its own code for finding system certs.
+func loadSystemCAs() (*x509.CertPool, error) {
+	return nil, nil
+}
diff --git a/src/mongo/gotools/common/db/tlsgo/rootcerts_darwin.go b/src/mongo/gotools/common/db/tlsgo/rootcerts_darwin.go
new file mode 100644
index 00000000000..72c7a9116ad
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/rootcerts_darwin.go
@@ -0,0 +1,58 @@
+// Copyright (C) MongoDB, Inc. 2018-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+//
+// Based on https://github.com/hashicorp/go-rootcerts by HashiCorp
+// See THIRD-PARTY-NOTICES for original license terms.
+
+package tlsgo
+
+import (
+	"crypto/x509"
+	"os/exec"
+	"os/user"
+	"path"
+)
+
+// loadSystemCAs has special behavior on Darwin systems to work around
+// bugs loading certs from keychains.  See this GitHub issues query:
+// https://github.com/golang/go/issues?utf8=%E2%9C%93&q=is%3Aissue+darwin+keychain
+func loadSystemCAs() (*x509.CertPool, error) {
+	pool := x509.NewCertPool()
+
+	for _, keychain := range certKeychains() {
+		err := addCertsFromKeychain(pool, keychain)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return pool, nil
+}
+
+func addCertsFromKeychain(pool *x509.CertPool, keychain string) error {
+	cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", keychain)
+	data, err := cmd.Output()
+	if err != nil {
+		return err
+	}
+
+	pool.AppendCertsFromPEM(data)
+
+	return nil
+}
+
+func certKeychains() []string {
+	keychains := []string{
+		"/System/Library/Keychains/SystemRootCertificates.keychain",
+		"/Library/Keychains/System.keychain",
+	}
+	user, err := user.Current()
+	if err == nil {
+		loginKeychain := path.Join(user.HomeDir, "Library", "Keychains", "login.keychain")
+		keychains = append(keychains, loginKeychain)
+	}
+	return keychains
+}
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-encrypted-rev.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-encrypted-rev.pem
new file mode 100644
index 00000000000..308e2263d4a
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-encrypted-rev.pem
@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIDBUEVMA0GCSqGSIb3DQEBBQUAMHQxFzAVBgNVBAMTDktl
+cm5lbCBUZXN0IENBMQ8wDQYDVQQLEwZLZXJuZWwxEDAOBgNVBAoTB01vbmdvREIx
+FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
+VQQGEwJVUzAeFw0xNjA5MjIxODE1MTJaFw0zNjA5MjIxODE1MTJaMG8xEjAQBgNV
+BAMTCWxvY2FsaG9zdDEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RC
+MRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkG
+A1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTHMXV0LEZ
+OCuDZ292e26NbbrMaib6IL3obp/5tOvNVCNnvfgYyJwCCTIZq/mwCjAV5N8Y7tJM
+v0JrrGIWgJ3qtPMQ/1VxfzLLW598nnBuqZG2HiR3CTfhd0JBmnjKDMscz90+xB2x
+DUDVe6PkbZWnN2otsBzVbW+AAJRVTgUb3cjSbGcC0eTMg3SGaWiB+DtiJIAe3bl8
+6TTmrUKVvbzbJrdrFWpz+NVxf5ejZje+Wlz6OXgkWki5U41PtA7aDFIX3mo1J3c0
+jW957fC/q76jrBoTCbufYPaLQIb5QSex+aJZ40rHpSSV75tsXNUkn22u83Bes+Ih
+X0As7g5kW2TDAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
+BgkqhkiG9w0BAQUFAAOCAQEAEDzWG64/IlXSEFQZom1z0uBLSLVaxrNg4se6geLH
+Bt63EW78H+JMf97AA32DsDiT3ih5uo8yUcOVoEUwontUOSjekHrYfagF/KxMvyMy
+sWX+8m5SLrU6s4FysUCtlXa92g1Nh/rET074U2sNShhALgNB2XSw9P5n9GnKt5VT
+Rkh0AeBJd09WcOGnSHs30+kKGNV8A5a2GTJbDma0dLa7zlhV6VU91Z9LA0aamyrX
+eWwnymJvRcIYvxGqgNDxN/8MsaU1EcW0MNEDkc+kDE1LbOwlAQbCeLQDq/w6AlmC
+smoCi0pp6Bf8tZM2RhcUN/xXxgEKcZzhlDOI4v8RNHOyMg==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,B57A03692CDD397E50317A829B4A4698
+
+V/V8LyrTJtyxBZYcodeO7xyS/+pmjmbEEYWC6ugP+MgeStTINrjfiYbc3QPkfUEg
+SpWFgeq6rFbnszeWrcuk9U0NCv+vg3SjMuprrisCJerpv9bCldF9lbbqElL6o3ov
+Q3EIS5JJWxXOJN/FAvTF4nNhh+0aasMmnZyHZMsT2aqBrswDQ7h51wCV4IRHk5Xr
+StqjV314kQHMRQfybYkPKZkABtpghSLGGLguwch1cbKPCKHTinFuIuZGHJlQmnOz
+tfXtnjlrAG7LtyfddrTlWkm/fGF6lhewC15HLLgpNVkLmFtHCyOtDVTkInT6CM+x
+DaDnXebj4gghvJ0kmm7uX3rLX/pvnne+iNpNLaZcjVx20+iGhYaJdy4yUq+nH/UU
++dHlyublzcsDHmZG8CX297DT5kRgkH6Nh3VQdhygQNRNCEHQbR8Gsff/3bJ+KDO8
+6vw/xtcjnbIsOVM8Wxp+lkvKmwk+tTVEhL4bG/+6sq1Cd9jDnf0fzWx7t+IA4t/Y
+OJ2K65T6I7QVgu0y3jSyLN1MH3oLPF3VGlF6NZlRZUObDL/HzWCFWCpBMtdAxfjI
+Wxh5QyQix5lo9IuvYMYmCGk6d+N/fhpLmp3mcURkZrSZCIvfLFF7jrlO4z68j0Os
+XODkuYgBXhHKf+tYc0Scokd5cbHlLZ986ngPsSClTtdovouHMxRfWoLQBdlXvxi0
+CjC7SRPuvLSSRLXzF72Htgb7U/W+JflSwvpZrO8VJ7ngR4sU2s1fO1K7x+fLIHEx
+M1V6OTQfmJoumg6DIYqAqO8QD6JVIn+JfZ8Ympt7zFaPCJtpxxmKjmpQ1BWatDP6
+dLrdxW9uV6VKYBQuVv+k+jFcjNMrRfJHfeUxrOjCIo3dUDfju+DOdJUAMxWPzdZZ
+OmcTG/4AIzw0BJirIAuAsz1RE3V8UXjefnO3YOBZMJPx22iBOacRtcYZXX5Vi/hs
+UMmBWrjrsgmtb8KxIvDED3fnfWI6JdK92x+yIJAOB920z//XP1XmiLV6QjwXgXIw
+g85ZceCh7Z6E62GYRQ3xboelbKlOzeRXqwM9Tz75677pqnloeEZfN/0GCABX4SAi
+jDmb1dt9DiwHsVnt2zvY85V14qNq5QkCTkD+34l+ASLrwgYj8iJ8f3NQMXvBatY0
+eKUonwjSD0odxgvgdwvGlsx1++ec6TWB7jUD/dLxPqPy+m+SpsrxmJG9/WxFXIA/
+UHcW8n5xy1D1mKgeGxTPgWLwYlbcLD3HBaIFj6s9vDfP7+ztcg6Xdsslf8irHByp
+JZgnG3ptQFAVEftM7oWvM2eXdBp1mgxuSGgZohURNOAdW0m5VEsmMp95k/iN4vXI
++aTYuVmeWJhQY9pvRW38RDhwxBXIiN2dCkijUPHCi7fc1k9ox06rGsX3doW6UBu+
+H45w0BTVpJR8kv7y+Ep5yd0VTKnGy16PVL/K9GqNahzwb72JxLP+hI4Amlp7rSAG
+Mfq0O3SvSrDks5PsPgBHEKnBfMMgKgTQOWICLtFG7Xoh1aJA9ykge2TniaUZeRuN
+Wm4FEDBqhCEZpOOFdtq/P9v8KV/IDuyMhFEMb6tSn9P6EDTIS7feJnhXn7JFMdJT
+-----END RSA PRIVATE KEY-----
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-encrypted.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-encrypted.pem
new file mode 100644
index 00000000000..fa92cebe1d7
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-encrypted.pem
@@ -0,0 +1,51 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,B57A03692CDD397E50317A829B4A4698
+
+V/V8LyrTJtyxBZYcodeO7xyS/+pmjmbEEYWC6ugP+MgeStTINrjfiYbc3QPkfUEg
+SpWFgeq6rFbnszeWrcuk9U0NCv+vg3SjMuprrisCJerpv9bCldF9lbbqElL6o3ov
+Q3EIS5JJWxXOJN/FAvTF4nNhh+0aasMmnZyHZMsT2aqBrswDQ7h51wCV4IRHk5Xr
+StqjV314kQHMRQfybYkPKZkABtpghSLGGLguwch1cbKPCKHTinFuIuZGHJlQmnOz
+tfXtnjlrAG7LtyfddrTlWkm/fGF6lhewC15HLLgpNVkLmFtHCyOtDVTkInT6CM+x
+DaDnXebj4gghvJ0kmm7uX3rLX/pvnne+iNpNLaZcjVx20+iGhYaJdy4yUq+nH/UU
++dHlyublzcsDHmZG8CX297DT5kRgkH6Nh3VQdhygQNRNCEHQbR8Gsff/3bJ+KDO8
+6vw/xtcjnbIsOVM8Wxp+lkvKmwk+tTVEhL4bG/+6sq1Cd9jDnf0fzWx7t+IA4t/Y
+OJ2K65T6I7QVgu0y3jSyLN1MH3oLPF3VGlF6NZlRZUObDL/HzWCFWCpBMtdAxfjI
+Wxh5QyQix5lo9IuvYMYmCGk6d+N/fhpLmp3mcURkZrSZCIvfLFF7jrlO4z68j0Os
+XODkuYgBXhHKf+tYc0Scokd5cbHlLZ986ngPsSClTtdovouHMxRfWoLQBdlXvxi0
+CjC7SRPuvLSSRLXzF72Htgb7U/W+JflSwvpZrO8VJ7ngR4sU2s1fO1K7x+fLIHEx
+M1V6OTQfmJoumg6DIYqAqO8QD6JVIn+JfZ8Ympt7zFaPCJtpxxmKjmpQ1BWatDP6
+dLrdxW9uV6VKYBQuVv+k+jFcjNMrRfJHfeUxrOjCIo3dUDfju+DOdJUAMxWPzdZZ
+OmcTG/4AIzw0BJirIAuAsz1RE3V8UXjefnO3YOBZMJPx22iBOacRtcYZXX5Vi/hs
+UMmBWrjrsgmtb8KxIvDED3fnfWI6JdK92x+yIJAOB920z//XP1XmiLV6QjwXgXIw
+g85ZceCh7Z6E62GYRQ3xboelbKlOzeRXqwM9Tz75677pqnloeEZfN/0GCABX4SAi
+jDmb1dt9DiwHsVnt2zvY85V14qNq5QkCTkD+34l+ASLrwgYj8iJ8f3NQMXvBatY0
+eKUonwjSD0odxgvgdwvGlsx1++ec6TWB7jUD/dLxPqPy+m+SpsrxmJG9/WxFXIA/
+UHcW8n5xy1D1mKgeGxTPgWLwYlbcLD3HBaIFj6s9vDfP7+ztcg6Xdsslf8irHByp
+JZgnG3ptQFAVEftM7oWvM2eXdBp1mgxuSGgZohURNOAdW0m5VEsmMp95k/iN4vXI
++aTYuVmeWJhQY9pvRW38RDhwxBXIiN2dCkijUPHCi7fc1k9ox06rGsX3doW6UBu+
+H45w0BTVpJR8kv7y+Ep5yd0VTKnGy16PVL/K9GqNahzwb72JxLP+hI4Amlp7rSAG
+Mfq0O3SvSrDks5PsPgBHEKnBfMMgKgTQOWICLtFG7Xoh1aJA9ykge2TniaUZeRuN
+Wm4FEDBqhCEZpOOFdtq/P9v8KV/IDuyMhFEMb6tSn9P6EDTIS7feJnhXn7JFMdJT
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIDBUEVMA0GCSqGSIb3DQEBBQUAMHQxFzAVBgNVBAMTDktl
+cm5lbCBUZXN0IENBMQ8wDQYDVQQLEwZLZXJuZWwxEDAOBgNVBAoTB01vbmdvREIx
+FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
+VQQGEwJVUzAeFw0xNjA5MjIxODE1MTJaFw0zNjA5MjIxODE1MTJaMG8xEjAQBgNV
+BAMTCWxvY2FsaG9zdDEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RC
+MRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkG
+A1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTHMXV0LEZ
+OCuDZ292e26NbbrMaib6IL3obp/5tOvNVCNnvfgYyJwCCTIZq/mwCjAV5N8Y7tJM
+v0JrrGIWgJ3qtPMQ/1VxfzLLW598nnBuqZG2HiR3CTfhd0JBmnjKDMscz90+xB2x
+DUDVe6PkbZWnN2otsBzVbW+AAJRVTgUb3cjSbGcC0eTMg3SGaWiB+DtiJIAe3bl8
+6TTmrUKVvbzbJrdrFWpz+NVxf5ejZje+Wlz6OXgkWki5U41PtA7aDFIX3mo1J3c0
+jW957fC/q76jrBoTCbufYPaLQIb5QSex+aJZ40rHpSSV75tsXNUkn22u83Bes+Ih
+X0As7g5kW2TDAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
+BgkqhkiG9w0BAQUFAAOCAQEAEDzWG64/IlXSEFQZom1z0uBLSLVaxrNg4se6geLH
+Bt63EW78H+JMf97AA32DsDiT3ih5uo8yUcOVoEUwontUOSjekHrYfagF/KxMvyMy
+sWX+8m5SLrU6s4FysUCtlXa92g1Nh/rET074U2sNShhALgNB2XSw9P5n9GnKt5VT
+Rkh0AeBJd09WcOGnSHs30+kKGNV8A5a2GTJbDma0dLa7zlhV6VU91Z9LA0aamyrX
+eWwnymJvRcIYvxGqgNDxN/8MsaU1EcW0MNEDkc+kDE1LbOwlAQbCeLQDq/w6AlmC
+smoCi0pp6Bf8tZM2RhcUN/xXxgEKcZzhlDOI4v8RNHOyMg==
+-----END CERTIFICATE-----
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-rev.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-rev.pem
new file mode 100644
index 00000000000..0bb7b967c9d
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1-rev.pem
@@ -0,0 +1,48 @@
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIDBUEVMA0GCSqGSIb3DQEBBQUAMHQxFzAVBgNVBAMTDktl
+cm5lbCBUZXN0IENBMQ8wDQYDVQQLEwZLZXJuZWwxEDAOBgNVBAoTB01vbmdvREIx
+FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
+VQQGEwJVUzAeFw0xNjA5MjIxODE1MTJaFw0zNjA5MjIxODE1MTJaMG8xEjAQBgNV
+BAMTCWxvY2FsaG9zdDEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RC
+MRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkG
+A1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTHMXV0LEZ
+OCuDZ292e26NbbrMaib6IL3obp/5tOvNVCNnvfgYyJwCCTIZq/mwCjAV5N8Y7tJM
+v0JrrGIWgJ3qtPMQ/1VxfzLLW598nnBuqZG2HiR3CTfhd0JBmnjKDMscz90+xB2x
+DUDVe6PkbZWnN2otsBzVbW+AAJRVTgUb3cjSbGcC0eTMg3SGaWiB+DtiJIAe3bl8
+6TTmrUKVvbzbJrdrFWpz+NVxf5ejZje+Wlz6OXgkWki5U41PtA7aDFIX3mo1J3c0
+jW957fC/q76jrBoTCbufYPaLQIb5QSex+aJZ40rHpSSV75tsXNUkn22u83Bes+Ih
+X0As7g5kW2TDAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
+BgkqhkiG9w0BAQUFAAOCAQEAEDzWG64/IlXSEFQZom1z0uBLSLVaxrNg4se6geLH
+Bt63EW78H+JMf97AA32DsDiT3ih5uo8yUcOVoEUwontUOSjekHrYfagF/KxMvyMy
+sWX+8m5SLrU6s4FysUCtlXa92g1Nh/rET074U2sNShhALgNB2XSw9P5n9GnKt5VT
+Rkh0AeBJd09WcOGnSHs30+kKGNV8A5a2GTJbDma0dLa7zlhV6VU91Z9LA0aamyrX
+eWwnymJvRcIYvxGqgNDxN/8MsaU1EcW0MNEDkc+kDE1LbOwlAQbCeLQDq/w6AlmC
+smoCi0pp6Bf8tZM2RhcUN/xXxgEKcZzhlDOI4v8RNHOyMg==
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAkxzF1dCxGTgrg2dvdntujW26zGom+iC96G6f+bTrzVQjZ734
+GMicAgkyGav5sAowFeTfGO7STL9Ca6xiFoCd6rTzEP9VcX8yy1uffJ5wbqmRth4k
+dwk34XdCQZp4ygzLHM/dPsQdsQ1A1Xuj5G2VpzdqLbAc1W1vgACUVU4FG93I0mxn
+AtHkzIN0hmlogfg7YiSAHt25fOk05q1Clb282ya3axVqc/jVcX+Xo2Y3vlpc+jl4
+JFpIuVONT7QO2gxSF95qNSd3NI1vee3wv6u+o6waEwm7n2D2i0CG+UEnsfmiWeNK
+x6Ukle+bbFzVJJ9trvNwXrPiIV9ALO4OZFtkwwIDAQABAoIBAAuueTclPyrVfv8M
+M5mg64JneDHLLBUojGvsfN+DMkY3rCgMuaqeI2U1/bh0I3uLE45pgh2kuSZG+as7
+IP7Qb7m3bKWo4MwGYa4sNFnc6uiepmdjtVmObdWFdslmzrick3RSPStCv2jTuJY7
+HySAXyXMDK5cEa4Q5o2vfhfX/ifcMZrS2Pz1o4k2Wh8EtzmRxJR+QR8d+XLtVsKf
+WIvtlhwGqWkmocFOsWW/6Mtf7IPWC3QAPjVYNcxe/8LSE/FhnRr7L6Uv1K7vGImE
+/+QVScl5sP2bpvo+9LxzOMANMdTWWX5ZZJhIdvwpsyctcZovuJq/Lrh9A0j40nRJ
+LuR6wUECgYEA2AgCKimqgpf7WCZMv72Kbur2banm1nwRsnPENGK4e6ZuYwHXu5n6
+HLgk/zp2lJdE4yGr8EBE5hvoFCosxEuvF2ldlqnKDqRUC9IKNtXJEisadWCEPmOp
+v04zPaV5hWOXaK3ZoCQ7D8xvzThcZderMMdGoeacv050nJnSkPEhissCgYEArlSG
+x2KRa1AvAYwMnEIeABrzjSzLLPHyYmCByouo3ljjWiBu7gSsJCO+O8QBjIklpW24
+g+Cek8d9X3oMw2aKKukgecxTR/XE7StB6RXngEIWvIqLj3CNWn1l+K/F95rrQrBr
+6Fea6qWnMYeZrnuGGvBX7PwjJncE1nvn+ey/9ukCgYB/1N1TDayz8jLsil1H6GSO
+FcMUSUErEed27UHgrbn0kRsowuJhRE/Xxq89x957NrewnzAaziz27PR7Wil7Tj2h
+YNvcV0QVPe/tvrAEmqSMd60EX8RhFqBPb3qqs8wgvjnN23G3bTj1tEdD7GHgcan/
+BywoiUmfelFOiUcsNUNf2QKBgBUuig3R6S9r17pNZP7bfb+vhqZBqhI096mCZmLQ
+41zY2g8KX9Al2zCs8yFZ6IJF68AU+9VyRnJYS+B8+O4JGIKsPtjtvbTBpQLYPbLv
+iWhpH1AbWWe9Wj+Dew9jdB9owGsi+omJk3YtWIpJGqA7vAir6VMPM8oprfnNplsU
+rCJ5AoGBANRKxMsriiA/sDLPxDCQOZg4JGRy1ycRVu75wETwoWnDMUP6J6BxE/pK
+keA1nmrVXLheVs3kB7Bg7Jm+53E6RPATRGbvJ+5nqtDDxjL3HL8Jg6uKFjPmnpJ4
+crTsbc7nrAxo0cRmUlgbzQqhgAfnb8B7Fai2T1qoFixPtIFicehx
+-----END RSA PRIVATE KEY-----
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1.pem
new file mode 100644
index 00000000000..9f6124b5fa2
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs1.pem
@@ -0,0 +1,48 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAkxzF1dCxGTgrg2dvdntujW26zGom+iC96G6f+bTrzVQjZ734
+GMicAgkyGav5sAowFeTfGO7STL9Ca6xiFoCd6rTzEP9VcX8yy1uffJ5wbqmRth4k
+dwk34XdCQZp4ygzLHM/dPsQdsQ1A1Xuj5G2VpzdqLbAc1W1vgACUVU4FG93I0mxn
+AtHkzIN0hmlogfg7YiSAHt25fOk05q1Clb282ya3axVqc/jVcX+Xo2Y3vlpc+jl4
+JFpIuVONT7QO2gxSF95qNSd3NI1vee3wv6u+o6waEwm7n2D2i0CG+UEnsfmiWeNK
+x6Ukle+bbFzVJJ9trvNwXrPiIV9ALO4OZFtkwwIDAQABAoIBAAuueTclPyrVfv8M
+M5mg64JneDHLLBUojGvsfN+DMkY3rCgMuaqeI2U1/bh0I3uLE45pgh2kuSZG+as7
+IP7Qb7m3bKWo4MwGYa4sNFnc6uiepmdjtVmObdWFdslmzrick3RSPStCv2jTuJY7
+HySAXyXMDK5cEa4Q5o2vfhfX/ifcMZrS2Pz1o4k2Wh8EtzmRxJR+QR8d+XLtVsKf
+WIvtlhwGqWkmocFOsWW/6Mtf7IPWC3QAPjVYNcxe/8LSE/FhnRr7L6Uv1K7vGImE
+/+QVScl5sP2bpvo+9LxzOMANMdTWWX5ZZJhIdvwpsyctcZovuJq/Lrh9A0j40nRJ
+LuR6wUECgYEA2AgCKimqgpf7WCZMv72Kbur2banm1nwRsnPENGK4e6ZuYwHXu5n6
+HLgk/zp2lJdE4yGr8EBE5hvoFCosxEuvF2ldlqnKDqRUC9IKNtXJEisadWCEPmOp
+v04zPaV5hWOXaK3ZoCQ7D8xvzThcZderMMdGoeacv050nJnSkPEhissCgYEArlSG
+x2KRa1AvAYwMnEIeABrzjSzLLPHyYmCByouo3ljjWiBu7gSsJCO+O8QBjIklpW24
+g+Cek8d9X3oMw2aKKukgecxTR/XE7StB6RXngEIWvIqLj3CNWn1l+K/F95rrQrBr
+6Fea6qWnMYeZrnuGGvBX7PwjJncE1nvn+ey/9ukCgYB/1N1TDayz8jLsil1H6GSO
+FcMUSUErEed27UHgrbn0kRsowuJhRE/Xxq89x957NrewnzAaziz27PR7Wil7Tj2h
+YNvcV0QVPe/tvrAEmqSMd60EX8RhFqBPb3qqs8wgvjnN23G3bTj1tEdD7GHgcan/
+BywoiUmfelFOiUcsNUNf2QKBgBUuig3R6S9r17pNZP7bfb+vhqZBqhI096mCZmLQ
+41zY2g8KX9Al2zCs8yFZ6IJF68AU+9VyRnJYS+B8+O4JGIKsPtjtvbTBpQLYPbLv
+iWhpH1AbWWe9Wj+Dew9jdB9owGsi+omJk3YtWIpJGqA7vAir6VMPM8oprfnNplsU
+rCJ5AoGBANRKxMsriiA/sDLPxDCQOZg4JGRy1ycRVu75wETwoWnDMUP6J6BxE/pK
+keA1nmrVXLheVs3kB7Bg7Jm+53E6RPATRGbvJ+5nqtDDxjL3HL8Jg6uKFjPmnpJ4
+crTsbc7nrAxo0cRmUlgbzQqhgAfnb8B7Fai2T1qoFixPtIFicehx
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIDBUEVMA0GCSqGSIb3DQEBBQUAMHQxFzAVBgNVBAMTDktl
+cm5lbCBUZXN0IENBMQ8wDQYDVQQLEwZLZXJuZWwxEDAOBgNVBAoTB01vbmdvREIx
+FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
+VQQGEwJVUzAeFw0xNjA5MjIxODE1MTJaFw0zNjA5MjIxODE1MTJaMG8xEjAQBgNV
+BAMTCWxvY2FsaG9zdDEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RC
+MRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkG
+A1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTHMXV0LEZ
+OCuDZ292e26NbbrMaib6IL3obp/5tOvNVCNnvfgYyJwCCTIZq/mwCjAV5N8Y7tJM
+v0JrrGIWgJ3qtPMQ/1VxfzLLW598nnBuqZG2HiR3CTfhd0JBmnjKDMscz90+xB2x
+DUDVe6PkbZWnN2otsBzVbW+AAJRVTgUb3cjSbGcC0eTMg3SGaWiB+DtiJIAe3bl8
+6TTmrUKVvbzbJrdrFWpz+NVxf5ejZje+Wlz6OXgkWki5U41PtA7aDFIX3mo1J3c0
+jW957fC/q76jrBoTCbufYPaLQIb5QSex+aJZ40rHpSSV75tsXNUkn22u83Bes+Ih
+X0As7g5kW2TDAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
+BgkqhkiG9w0BAQUFAAOCAQEAEDzWG64/IlXSEFQZom1z0uBLSLVaxrNg4se6geLH
+Bt63EW78H+JMf97AA32DsDiT3ih5uo8yUcOVoEUwontUOSjekHrYfagF/KxMvyMy
+sWX+8m5SLrU6s4FysUCtlXa92g1Nh/rET074U2sNShhALgNB2XSw9P5n9GnKt5VT
+Rkh0AeBJd09WcOGnSHs30+kKGNV8A5a2GTJbDma0dLa7zlhV6VU91Z9LA0aamyrX
+eWwnymJvRcIYvxGqgNDxN/8MsaU1EcW0MNEDkc+kDE1LbOwlAQbCeLQDq/w6AlmC
+smoCi0pp6Bf8tZM2RhcUN/xXxgEKcZzhlDOI4v8RNHOyMg==
+-----END CERTIFICATE-----
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-encrypted-rev.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-encrypted-rev.pem
new file mode 100644
index 00000000000..2a9b8ea4aa4
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-encrypted-rev.pem
@@ -0,0 +1,51 @@
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIDBUEVMA0GCSqGSIb3DQEBBQUAMHQxFzAVBgNVBAMTDktl
+cm5lbCBUZXN0IENBMQ8wDQYDVQQLEwZLZXJuZWwxEDAOBgNVBAoTB01vbmdvREIx
+FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
+VQQGEwJVUzAeFw0xNjA5MjIxODE1MTJaFw0zNjA5MjIxODE1MTJaMG8xEjAQBgNV
+BAMTCWxvY2FsaG9zdDEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RC
+MRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkG
+A1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTHMXV0LEZ
+OCuDZ292e26NbbrMaib6IL3obp/5tOvNVCNnvfgYyJwCCTIZq/mwCjAV5N8Y7tJM
+v0JrrGIWgJ3qtPMQ/1VxfzLLW598nnBuqZG2HiR3CTfhd0JBmnjKDMscz90+xB2x
+DUDVe6PkbZWnN2otsBzVbW+AAJRVTgUb3cjSbGcC0eTMg3SGaWiB+DtiJIAe3bl8
+6TTmrUKVvbzbJrdrFWpz+NVxf5ejZje+Wlz6OXgkWki5U41PtA7aDFIX3mo1J3c0
+jW957fC/q76jrBoTCbufYPaLQIb5QSex+aJZ40rHpSSV75tsXNUkn22u83Bes+Ih
+X0As7g5kW2TDAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
+BgkqhkiG9w0BAQUFAAOCAQEAEDzWG64/IlXSEFQZom1z0uBLSLVaxrNg4se6geLH
+Bt63EW78H+JMf97AA32DsDiT3ih5uo8yUcOVoEUwontUOSjekHrYfagF/KxMvyMy
+sWX+8m5SLrU6s4FysUCtlXa92g1Nh/rET074U2sNShhALgNB2XSw9P5n9GnKt5VT
+Rkh0AeBJd09WcOGnSHs30+kKGNV8A5a2GTJbDma0dLa7zlhV6VU91Z9LA0aamyrX
+eWwnymJvRcIYvxGqgNDxN/8MsaU1EcW0MNEDkc+kDE1LbOwlAQbCeLQDq/w6AlmC
+smoCi0pp6Bf8tZM2RhcUN/xXxgEKcZzhlDOI4v8RNHOyMg==
+-----END CERTIFICATE-----
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIP80PLbXYYHUCAggA
+MB0GCWCGSAFlAwQBAgQQu1qZnln9ymhZVDJmGJpIJQSCBNDufC1nGCgwBWtkzqP+
+MN3/UJD4cX6TQDjGotN484gLvCm138yB8EPSuFz2RUcOFQImKm3fuqBKgx08jen6
+DQRNekzW1ngIV3BZwn5kMwr0lJK4ibpfEmdTYu/2INq55ljsFx7pq+69PLOqskPa
+l+1CzPub0xPC8spG6H0xxOV3HYZlzNX6SKgpK/GPCyGzspgijdacn+x+KFpvMRG3
+fDvdGTP5F/lk6++EHFM/LBfitNV0qkd9GoOIbcDkinu6EytSfJY/mY337AhitWQZ
+zdhgC3nA+QYy9s/hs2hXBepkIsFzLMRF162Cqc7KPNObpVGBPxFS+an3c7FyYXVw
+ekTf1XrUpdsqNIgvSQkUhzkPc01jHWd4paHgSCLayLx6c9jPXiCxgASZ7BcjAZOC
+VLqoi9RHYrEdpoZBwMnSheHa6OVdqPbitlx4vA41s1ERuRktz9hXuhl/Rje+IF5i
+2N2l4q3ix4K2yvtZ4wmoc92/WPy2XVudeBinupIxLbrq82HIs1KvLZZ78s+s2Gfh
+PDH/1gMiraOWyBY1/4DtAnptl2qKW3YsTwMGCfrX8euRC7WCk/QBw6SBy1XlV2pc
+uc1ZOAgWQHwDSRK6XJHgElrQkgVRlszg5vofJ1RdRxJo6XossIc3vx/IUqv2+7xx
+mGBE+71FYDg4vmN5nAgN2MjEGdyMEGL4WiKT6Y/WSOTrtRVKRFTilzxuOmx6Hq37
+rldBokhttrx0JikU0fqDWSaDbERSslmv5TinygKyq/PnGOHtcBzHC0c+AIlp2Rj8
+Z5TbgMVcxjV0GZ0SojjO6DO9weJ5c5iBom+VJrniYNDc4jqn0OqIQEembgGuTdHk
+37Dqp7oxonLZS1Qi+YNljxQvGUeaoy0hSJS/9C2ANWoo+POB/BkhdS3NT2CQAxNZ
+ca4ThdtyLvhSjLIEEMJH7J+LFVuE32hbivWtjKcha8vJ/sYz5gZE193Jfz5H92Zq
+3Ee7ipvaKQrxATCp7xJdX5ftHp2+dMsiRKxff8TOO9TVwoJkWOw9zSOMidI+znuL
+IF2kTMMPu/o1EbOzEvgck/dcvPlTzWQEGy6eCSixndB4c9yjcVnZpzYnWJEhV7to
+W9OfcBkQ/3V5jn96yQPCXm1br2j9FS5QDmWP+GOlLUEPwb27jUajTs3emeqvC0qJ
+OALtJsKkwT9L7Cq/cZNByBrbmimEI1NkaVRPjauHhQSzPYIJWBkaJPoZIkbCJ5eO
+vRi/2Bd74fda8pVFxm9kUNP8wwpz9JSXmzVRzGXOJ3lS1TKAXl++gb5HX+bieSNy
+QHcjw6rBwOkdac40vs5mxGb0XHtP8Qqvn0+fzmKan4MBGKGrB2nlfBrhI2Uopni5
+WRSWbZjDe3ofsjlaj39rxQksvSnZEN/us4JHl2QWfYhpg9tYiCmO0zPREqdWKoi2
+IgydR30JXmNx+W2UBoh1iIPgxeqkDXsxWusGbAgyZs4s7/dcrlcVQz5vzHm0zXsK
+hix58eAuxTJORkGKaxva5fmdwvHJJPt5/nPPsGdm81WVqm79yKRRE4mjl+PTBryE
+4IuFZjGksVDHpi1LMpW4FMmaYjf/oNm9/ZAqOtxJYC8CFIyyVbqSMOwrqSDxmE8O
+gHyWskGclbX/lOH8H83lXnh2xw==
+-----END ENCRYPTED PRIVATE KEY-----
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-encrypted.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-encrypted.pem
new file mode 100644
index 00000000000..88773490b0f
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-encrypted.pem
@@ -0,0 +1,51 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFHzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQIP80PLbXYYHUCAggA
+MB0GCWCGSAFlAwQBAgQQu1qZnln9ymhZVDJmGJpIJQSCBNDufC1nGCgwBWtkzqP+
+MN3/UJD4cX6TQDjGotN484gLvCm138yB8EPSuFz2RUcOFQImKm3fuqBKgx08jen6
+DQRNekzW1ngIV3BZwn5kMwr0lJK4ibpfEmdTYu/2INq55ljsFx7pq+69PLOqskPa
+l+1CzPub0xPC8spG6H0xxOV3HYZlzNX6SKgpK/GPCyGzspgijdacn+x+KFpvMRG3
+fDvdGTP5F/lk6++EHFM/LBfitNV0qkd9GoOIbcDkinu6EytSfJY/mY337AhitWQZ
+zdhgC3nA+QYy9s/hs2hXBepkIsFzLMRF162Cqc7KPNObpVGBPxFS+an3c7FyYXVw
+ekTf1XrUpdsqNIgvSQkUhzkPc01jHWd4paHgSCLayLx6c9jPXiCxgASZ7BcjAZOC
+VLqoi9RHYrEdpoZBwMnSheHa6OVdqPbitlx4vA41s1ERuRktz9hXuhl/Rje+IF5i
+2N2l4q3ix4K2yvtZ4wmoc92/WPy2XVudeBinupIxLbrq82HIs1KvLZZ78s+s2Gfh
+PDH/1gMiraOWyBY1/4DtAnptl2qKW3YsTwMGCfrX8euRC7WCk/QBw6SBy1XlV2pc
+uc1ZOAgWQHwDSRK6XJHgElrQkgVRlszg5vofJ1RdRxJo6XossIc3vx/IUqv2+7xx
+mGBE+71FYDg4vmN5nAgN2MjEGdyMEGL4WiKT6Y/WSOTrtRVKRFTilzxuOmx6Hq37
+rldBokhttrx0JikU0fqDWSaDbERSslmv5TinygKyq/PnGOHtcBzHC0c+AIlp2Rj8
+Z5TbgMVcxjV0GZ0SojjO6DO9weJ5c5iBom+VJrniYNDc4jqn0OqIQEembgGuTdHk
+37Dqp7oxonLZS1Qi+YNljxQvGUeaoy0hSJS/9C2ANWoo+POB/BkhdS3NT2CQAxNZ
+ca4ThdtyLvhSjLIEEMJH7J+LFVuE32hbivWtjKcha8vJ/sYz5gZE193Jfz5H92Zq
+3Ee7ipvaKQrxATCp7xJdX5ftHp2+dMsiRKxff8TOO9TVwoJkWOw9zSOMidI+znuL
+IF2kTMMPu/o1EbOzEvgck/dcvPlTzWQEGy6eCSixndB4c9yjcVnZpzYnWJEhV7to
+W9OfcBkQ/3V5jn96yQPCXm1br2j9FS5QDmWP+GOlLUEPwb27jUajTs3emeqvC0qJ
+OALtJsKkwT9L7Cq/cZNByBrbmimEI1NkaVRPjauHhQSzPYIJWBkaJPoZIkbCJ5eO
+vRi/2Bd74fda8pVFxm9kUNP8wwpz9JSXmzVRzGXOJ3lS1TKAXl++gb5HX+bieSNy
+QHcjw6rBwOkdac40vs5mxGb0XHtP8Qqvn0+fzmKan4MBGKGrB2nlfBrhI2Uopni5
+WRSWbZjDe3ofsjlaj39rxQksvSnZEN/us4JHl2QWfYhpg9tYiCmO0zPREqdWKoi2
+IgydR30JXmNx+W2UBoh1iIPgxeqkDXsxWusGbAgyZs4s7/dcrlcVQz5vzHm0zXsK
+hix58eAuxTJORkGKaxva5fmdwvHJJPt5/nPPsGdm81WVqm79yKRRE4mjl+PTBryE
+4IuFZjGksVDHpi1LMpW4FMmaYjf/oNm9/ZAqOtxJYC8CFIyyVbqSMOwrqSDxmE8O
+gHyWskGclbX/lOH8H83lXnh2xw==
+-----END ENCRYPTED PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDfjCCAmagAwIBAgIDBUEVMA0GCSqGSIb3DQEBBQUAMHQxFzAVBgNVBAMTDktl
+cm5lbCBUZXN0IENBMQ8wDQYDVQQLEwZLZXJuZWwxEDAOBgNVBAoTB01vbmdvREIx
+FjAUBgNVBAcTDU5ldyBZb3JrIENpdHkxETAPBgNVBAgTCE5ldyBZb3JrMQswCQYD
+VQQGEwJVUzAeFw0xNjA5MjIxODE1MTJaFw0zNjA5MjIxODE1MTJaMG8xEjAQBgNV
+BAMTCWxvY2FsaG9zdDEPMA0GA1UECxMGS2VybmVsMRAwDgYDVQQKEwdNb25nb0RC
+MRYwFAYDVQQHEw1OZXcgWW9yayBDaXR5MREwDwYDVQQIEwhOZXcgWW9yazELMAkG
+A1UEBhMCVVMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCTHMXV0LEZ
+OCuDZ292e26NbbrMaib6IL3obp/5tOvNVCNnvfgYyJwCCTIZq/mwCjAV5N8Y7tJM
+v0JrrGIWgJ3qtPMQ/1VxfzLLW598nnBuqZG2HiR3CTfhd0JBmnjKDMscz90+xB2x
+DUDVe6PkbZWnN2otsBzVbW+AAJRVTgUb3cjSbGcC0eTMg3SGaWiB+DtiJIAe3bl8
+6TTmrUKVvbzbJrdrFWpz+NVxf5ejZje+Wlz6OXgkWki5U41PtA7aDFIX3mo1J3c0
+jW957fC/q76jrBoTCbufYPaLQIb5QSex+aJZ40rHpSSV75tsXNUkn22u83Bes+Ih
+X0As7g5kW2TDAgMBAAGjHjAcMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
+BgkqhkiG9w0BAQUFAAOCAQEAEDzWG64/IlXSEFQZom1z0uBLSLVaxrNg4se6geLH
+Bt63EW78H+JMf97AA32DsDiT3ih5uo8yUcOVoEUwontUOSjekHrYfagF/KxMvyMy
+sWX+8m5SLrU6s4FysUCtlXa92g1Nh/rET074U2sNShhALgNB2XSw9P5n9GnKt5VT
+Rkh0AeBJd09WcOGnSHs30+kKGNV8A5a2GTJbDma0dLa7zlhV6VU91Z9LA0aamyrX
+eWwnymJvRcIYvxGqgNDxN/8MsaU1EcW0MNEDkc+kDE1LbOwlAQbCeLQDq/w6AlmC
+smoCi0pp6Bf8tZM2RhcUN/xXxgEKcZzhlDOI4v8RNHOyMg==
+-----END CERTIFICATE-----
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-rev.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-rev.pem
new file mode 100644
index 00000000000..7d902b28e11
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8-rev.pem
@@ -0,0 +1,50 @@
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIJAIJdodI/q6hqMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEQMA4GA1UECgwHTW9uZ29EQjERMA8G
+A1UECwwIU2VjdXJpdHkxCzAJBgNVBAMMAmNhMB4XDTE3MDMxNzEwMTQ0MVoXDTI3
+MDMxNTEwMTQ0MVowaDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREw
+DwYDVQQHDAhOZXcgWW9yazEQMA4GA1UECgwHTW9uZ29EQjEQMA4GA1UECwwHRHJp
+dmVyczEPMA0GA1UEAwwGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA0nYSydRYw7eM1KtyM6s49A7SIPGUua+wStu9KkTzFcaJ8y/hcrek5J/4
+PcpY5gf8tkf3GrXxumtPnWCJJP+wbNh4U9HJgtFrzkIHnYmOxjLERGgu/w+4W3J+
+/RUSOOHK2DeOzIYZd79d48716kNWYFV80nhQRJexJSD1fGgQLll947HBh50f4Jne
+JMtq3Bw/YoJfKDa8AcsWj80U5yGF6BUhVddteIwXlHbTUJxFu5cZ3iVOEr7sTd8O
+gpJ1XZgUGOW9fVBxwRRiLe1MXHrljvaNOT532W+kQDw9U94teD6pDTIRPrOxJ8l4
+GWiP3hyKVqcbx2fPumj5zqRz8nlZSQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
+SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUd7IrLVymryD9EI7JqSDy61B0hiYwHwYDVR0jBBgwFoAU6V78cAw4dTLrQwZE
+x8Vf5k+rHDkwDQYJKoZIhvcNAQELBQADggEBAGxTZl9WrjlXd9UFIFKiTx3io/YR
+NuAfStSuLwoNAi3P+XYLwvfUScyHOambqBmBFsMSNiQe6h4tepcVIFLeGcsTsoyf
+JkTMwiJH1iIdAchNJmsdkWrPlzUc8s7modmzBx6TBokiGL79vVuh20SW8IyWJZaf
+79A1vFR7PRRPsJWfbXkEOP+CoyQfJtPLz+fFcX2CFkvtn5T8IM97OBBckyE3pjRQ
+nZ7bDc+mM/2T23KMnSWNvqP68Yt+7YMyQ+uj1+HJOHfHQSD0nU/Mn0+EqLhZbzvL
+EKJ5z1meByoriHlMGvZjGMIIcH1Gt/QAi8sVzZBJr+Cq0c9P7F+uNFcODaM=
+-----END CERTIFICATE-----
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDSdhLJ1FjDt4zU
+q3Izqzj0DtIg8ZS5r7BK270qRPMVxonzL+Fyt6Tkn/g9yljmB/y2R/catfG6a0+d
+YIkk/7Bs2HhT0cmC0WvOQgediY7GMsREaC7/D7hbcn79FRI44crYN47Mhhl3v13j
+zvXqQ1ZgVXzSeFBEl7ElIPV8aBAuWX3jscGHnR/gmd4ky2rcHD9igl8oNrwByxaP
+zRTnIYXoFSFV1214jBeUdtNQnEW7lxneJU4SvuxN3w6CknVdmBQY5b19UHHBFGIt
+7UxceuWO9o05PnfZb6RAPD1T3i14PqkNMhE+s7EnyXgZaI/eHIpWpxvHZ8+6aPnO
+pHPyeVlJAgMBAAECggEBALR2AAhF51Ly2XQmCkeZor1K1AzhePh7WDvoDVzoQFPE
+qNb4kGTwaRiMvqwlDHM6GAwoyw6BQmPpzhuRAifSgvHh79NXiGV+suTqI2OG5wC1
+2Ssa9mlIjnkDRTY3UieqHGenw+9FcSMH2TcUaDLWSINT6jMCbTlTpNbEWxqwlGdY
+URP4I0lN/NiKyfGemctXTuKj3YOB+6feQZaL1RWYJ9pneSad6rbsLYLOc0JAK8zG
+wu3mPhPTrMqaj7DXAbhz4NWmIjosIp4/5bnV2HSvpd4UiB7/yK/gknZ4XesHOz4z
+aIKbYxbaUkrKIGO/mwuZOjCDSw/rSDmuxuDWFRU3NE0CgYEA6LW2dFPfxIxEmeXl
+EzFxJhsCeCOcPo4ueWxbMboILl2KjMhTUGxKZEjJtWpK+FwVqashU2CrDfW/zfzp
+ekb1EVAeq+bDsHKRXMJfHQ3qky733nqsKbpQonJwyQ64AVhQVLgr8Xi+gNiYaOWo
+g5ZftrlNlJu59GJv+St2eipAlwsCgYEA54ZTpYAodRkMcZOGqiG8mHwNwxPSRIRO
+7iRRT+8NFLVfC3Y1oPD7o2tmwFDpSzybgIOpdKuqHOG6/ed82AyqnODhmdNPcCpv
+FgyWZaurgJepe8Y61vjoaV6y7geLJAOL/WAbqzRRq6tDI708t21lsFCTvtoyW/0I
+0kggr/+ytXsCgYEAkaW5jlE4ilGoVhI3L64QPWNGRl8zWUuv9rtE0Hi4yhwtrTNs
+QbelT+LmrC7cwVkRDeJXt1GXfeNDqu8SSj/C/pUAvWJvNC5goIfe89ZT7M7GwG5S
+9sLv2Nx7jrsxm1Xk4UFr73Q893OY4H5s2/7v5PNRhSN6XWSG5JK5UnjDeEUCgYEA
+iMQnAWsVeybS3Pzi3fmT6RfPIV/CJEtsPO0jQ27ZcVQ60xB/WZVBcSXuysiBJ7qj
+uWUNYyhNE0adKYPnkdDZsFZ/rljPYlkOyh2hcmnYo9vzeHR/KaJb2HLijA3Uue+G
+cKSnc5kybZB71s7g4RI0sdTHkkRe30w4O8/zz0PjE6UCgYEAzARJZItdMu9wGu3U
+X7tSSXJL2avVKv/lBDUfZAChBhpXOQf7MvgmKUCiZC/BMZ/plw/AxBL8swrfKgsw
+TdrZwrhK3wOgqYWIHCAfzR+Qa0rRTqVmRQERFylqXzNmUWMG5iq7D9rp3Ht9/Ozn
+6NGsAa53FvCDeBkFzi/dsbhxvjk=
+-----END PRIVATE KEY-----
diff --git a/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8.pem b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8.pem
new file mode 100644
index 00000000000..305c67658c9
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/testdata/pkcs8.pem
@@ -0,0 +1,50 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDSdhLJ1FjDt4zU
+q3Izqzj0DtIg8ZS5r7BK270qRPMVxonzL+Fyt6Tkn/g9yljmB/y2R/catfG6a0+d
+YIkk/7Bs2HhT0cmC0WvOQgediY7GMsREaC7/D7hbcn79FRI44crYN47Mhhl3v13j
+zvXqQ1ZgVXzSeFBEl7ElIPV8aBAuWX3jscGHnR/gmd4ky2rcHD9igl8oNrwByxaP
+zRTnIYXoFSFV1214jBeUdtNQnEW7lxneJU4SvuxN3w6CknVdmBQY5b19UHHBFGIt
+7UxceuWO9o05PnfZb6RAPD1T3i14PqkNMhE+s7EnyXgZaI/eHIpWpxvHZ8+6aPnO
+pHPyeVlJAgMBAAECggEBALR2AAhF51Ly2XQmCkeZor1K1AzhePh7WDvoDVzoQFPE
+qNb4kGTwaRiMvqwlDHM6GAwoyw6BQmPpzhuRAifSgvHh79NXiGV+suTqI2OG5wC1
+2Ssa9mlIjnkDRTY3UieqHGenw+9FcSMH2TcUaDLWSINT6jMCbTlTpNbEWxqwlGdY
+URP4I0lN/NiKyfGemctXTuKj3YOB+6feQZaL1RWYJ9pneSad6rbsLYLOc0JAK8zG
+wu3mPhPTrMqaj7DXAbhz4NWmIjosIp4/5bnV2HSvpd4UiB7/yK/gknZ4XesHOz4z
+aIKbYxbaUkrKIGO/mwuZOjCDSw/rSDmuxuDWFRU3NE0CgYEA6LW2dFPfxIxEmeXl
+EzFxJhsCeCOcPo4ueWxbMboILl2KjMhTUGxKZEjJtWpK+FwVqashU2CrDfW/zfzp
+ekb1EVAeq+bDsHKRXMJfHQ3qky733nqsKbpQonJwyQ64AVhQVLgr8Xi+gNiYaOWo
+g5ZftrlNlJu59GJv+St2eipAlwsCgYEA54ZTpYAodRkMcZOGqiG8mHwNwxPSRIRO
+7iRRT+8NFLVfC3Y1oPD7o2tmwFDpSzybgIOpdKuqHOG6/ed82AyqnODhmdNPcCpv
+FgyWZaurgJepe8Y61vjoaV6y7geLJAOL/WAbqzRRq6tDI708t21lsFCTvtoyW/0I
+0kggr/+ytXsCgYEAkaW5jlE4ilGoVhI3L64QPWNGRl8zWUuv9rtE0Hi4yhwtrTNs
+QbelT+LmrC7cwVkRDeJXt1GXfeNDqu8SSj/C/pUAvWJvNC5goIfe89ZT7M7GwG5S
+9sLv2Nx7jrsxm1Xk4UFr73Q893OY4H5s2/7v5PNRhSN6XWSG5JK5UnjDeEUCgYEA
+iMQnAWsVeybS3Pzi3fmT6RfPIV/CJEtsPO0jQ27ZcVQ60xB/WZVBcSXuysiBJ7qj
+uWUNYyhNE0adKYPnkdDZsFZ/rljPYlkOyh2hcmnYo9vzeHR/KaJb2HLijA3Uue+G
+cKSnc5kybZB71s7g4RI0sdTHkkRe30w4O8/zz0PjE6UCgYEAzARJZItdMu9wGu3U
+X7tSSXJL2avVKv/lBDUfZAChBhpXOQf7MvgmKUCiZC/BMZ/plw/AxBL8swrfKgsw
+TdrZwrhK3wOgqYWIHCAfzR+Qa0rRTqVmRQERFylqXzNmUWMG5iq7D9rp3Ht9/Ozn
+6NGsAa53FvCDeBkFzi/dsbhxvjk=
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDuDCCAqCgAwIBAgIJAIJdodI/q6hqMA0GCSqGSIb3DQEBCwUAMFIxCzAJBgNV
+BAYTAlVTMREwDwYDVQQIDAhOZXcgWW9yazEQMA4GA1UECgwHTW9uZ29EQjERMA8G
+A1UECwwIU2VjdXJpdHkxCzAJBgNVBAMMAmNhMB4XDTE3MDMxNzEwMTQ0MVoXDTI3
+MDMxNTEwMTQ0MVowaDELMAkGA1UEBhMCVVMxETAPBgNVBAgMCE5ldyBZb3JrMREw
+DwYDVQQHDAhOZXcgWW9yazEQMA4GA1UECgwHTW9uZ29EQjEQMA4GA1UECwwHRHJp
+dmVyczEPMA0GA1UEAwwGY2xpZW50MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA0nYSydRYw7eM1KtyM6s49A7SIPGUua+wStu9KkTzFcaJ8y/hcrek5J/4
+PcpY5gf8tkf3GrXxumtPnWCJJP+wbNh4U9HJgtFrzkIHnYmOxjLERGgu/w+4W3J+
+/RUSOOHK2DeOzIYZd79d48716kNWYFV80nhQRJexJSD1fGgQLll947HBh50f4Jne
+JMtq3Bw/YoJfKDa8AcsWj80U5yGF6BUhVddteIwXlHbTUJxFu5cZ3iVOEr7sTd8O
+gpJ1XZgUGOW9fVBxwRRiLe1MXHrljvaNOT532W+kQDw9U94teD6pDTIRPrOxJ8l4
+GWiP3hyKVqcbx2fPumj5zqRz8nlZSQIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCG
+SAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4E
+FgQUd7IrLVymryD9EI7JqSDy61B0hiYwHwYDVR0jBBgwFoAU6V78cAw4dTLrQwZE
+x8Vf5k+rHDkwDQYJKoZIhvcNAQELBQADggEBAGxTZl9WrjlXd9UFIFKiTx3io/YR
+NuAfStSuLwoNAi3P+XYLwvfUScyHOambqBmBFsMSNiQe6h4tepcVIFLeGcsTsoyf
+JkTMwiJH1iIdAchNJmsdkWrPlzUc8s7modmzBx6TBokiGL79vVuh20SW8IyWJZaf
+79A1vFR7PRRPsJWfbXkEOP+CoyQfJtPLz+fFcX2CFkvtn5T8IM97OBBckyE3pjRQ
+nZ7bDc+mM/2T23KMnSWNvqP68Yt+7YMyQ+uj1+HJOHfHQSD0nU/Mn0+EqLhZbzvL
+EKJ5z1meByoriHlMGvZjGMIIcH1Gt/QAi8sVzZBJr+Cq0c9P7F+uNFcODaM=
+-----END CERTIFICATE-----
diff --git a/src/mongo/gotools/common/db/tlsgo/tlsgo.go b/src/mongo/gotools/common/db/tlsgo/tlsgo.go
new file mode 100644
index 00000000000..c26b7e2dc4f
--- /dev/null
+++ b/src/mongo/gotools/common/db/tlsgo/tlsgo.go
@@ -0,0 +1,135 @@
+// Copyright (C) MongoDB, Inc. 2014-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+// Package tlsgo implements connection to MongoDB with Go native TLS.
+package tlsgo
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net"
+	"strings"
+	"time"
+
+	"github.com/mongodb/mongo-tools/common/db/kerberos"
+	"github.com/mongodb/mongo-tools/common/log"
+	"github.com/mongodb/mongo-tools/common/options"
+	"github.com/mongodb/mongo-tools/common/util"
+	"gopkg.in/mgo.v2"
+)
+
+// TLSDBConnector makes a connection to the database with Go native TLS.
+type TLSDBConnector struct {
+	dialInfo *mgo.DialInfo
+	config   *TLSConfig
+}
+
+// Configure the connector to connect to the server over ssl. Sets up the
+// correct function to dial the server based on the ssl options passed in.
+func (c *TLSDBConnector) Configure(opts options.ToolOptions) error {
+	if opts.SSLFipsMode {
+		return fmt.Errorf("FIPS mode not supported")
+	}
+
+	if opts.SSLCRLFile != "" {
+		return fmt.Errorf("CRL files are not supported on this platform")
+	}
+
+	c.config = NewTLSConfig()
+
+	if opts.SSLAllowInvalidCert || opts.SSLAllowInvalidHost {
+		c.config.SetInsecure(true)
+	}
+
+	if opts.SSLPEMKeyFile != "" {
+		subject, err := c.config.AddClientCertFromFile(opts.SSLPEMKeyFile, opts.SSLPEMKeyPassword)
+		if err != nil {
+			return err
+		}
+		if opts.Auth.Mechanism == "MONGODB-X509" && opts.Auth.Username == "" {
+			opts.Auth.Username = subject
+		}
+	}
+
+	if opts.SSLCAFile != "" {
+		c.config.AddCaCertFromFile(opts.SSLCAFile)
+	}
+
+	// set up the dial info
+	c.dialInfo = &mgo.DialInfo{
+		Timeout:        time.Duration(opts.Timeout) * time.Second,
+		Direct:         opts.Direct,
+		ReplicaSetName: opts.ReplicaSetName,
+		DialServer:     c.makeDialer(opts),
+		Username:       opts.Auth.Username,
+		Password:       opts.Auth.Password,
+		Source:         opts.GetAuthenticationDatabase(),
+		Mechanism:      opts.Auth.Mechanism,
+	}
+
+	// create or fetch the addresses to be used to connect
+	if opts.URI != nil && opts.URI.ConnectionString != "" {
+		c.dialInfo.Addrs = opts.URI.GetConnectionAddrs()
+	} else {
+		c.dialInfo.Addrs = util.CreateConnectionAddrs(opts.Host, opts.Port)
+	}
+	kerberos.AddKerberosOpts(opts, c.dialInfo)
+	return nil
+}
+
+// GetNewSession dials the server.
+func (c *TLSDBConnector) GetNewSession() (*mgo.Session, error) {
+	return mgo.DialWithInfo(c.dialInfo)
+}
+
+// To be handed to mgo.DialInfo for connecting to the server.
+type dialerFunc func(addr *mgo.ServerAddr) (net.Conn, error)
+
+func (c *TLSDBConnector) makeDialer(opts options.ToolOptions) dialerFunc {
+	return func(addr *mgo.ServerAddr) (net.Conn, error) {
+		address := addr.String()
+		conn, err := net.Dial("tcp", address)
+		if err != nil {
+			// mgo discards dialer errors so log it now
+			log.Logvf(log.Always, "error dialing %v: %v", address, err)
+			return nil, err
+		}
+		// enable TCP keepalive
+		err = util.EnableTCPKeepAlive(conn, time.Duration(opts.TCPKeepAliveSeconds)*time.Second)
+		if err != nil {
+			// mgo discards dialer errors so log it now
+			log.Logvf(log.Always, "error enabling TCP keepalive on connection to %v: %v", address, err)
+			conn.Close()
+			return nil, err
+		}
+
+		tlsConfig, err := c.config.MakeConfig()
+		if err != nil {
+			return nil, err
+		}
+
+		if !tlsConfig.InsecureSkipVerify {
+			colonPos := strings.LastIndex(address, ":")
+			if colonPos == -1 {
+				colonPos = len(address)
+			}
+
+			hostname := address[:colonPos]
+			tlsConfig.ServerName = hostname
+		}
+
+		client := tls.Client(conn, tlsConfig)
+		err = client.Handshake()
+		if err != nil {
+			// mgo discards dialer errors so log it now
+			log.Logvf(log.Always, "error doing TLS handshake with %v: %v", address, err)
+			client.Close()
+			return nil, err
+		}
+
+		return client, nil
+	}
+}
diff --git a/src/mongo/gotools/common/options/options.go b/src/mongo/gotools/common/options/options.go
index 1e7cb8c6ca3..71b7b0d21f4 100644
--- a/src/mongo/gotools/common/options/options.go
+++ b/src/mongo/gotools/common/options/options.go
@@ -4,23 +4,24 @@ package options
 
 import (
 	"fmt"
-	"github.com/jessevdk/go-flags"
-	"github.com/mongodb/mongo-tools/common/connstring"
-	"github.com/mongodb/mongo-tools/common/failpoint"
-	"github.com/mongodb/mongo-tools/common/log"
-	"github.com/mongodb/mongo-tools/common/util"
 	"os"
 	"regexp"
 	"runtime"
 	"strconv"
 	"strings"
 	"time"
+
+	"github.com/jessevdk/go-flags"
+	"github.com/mongodb/mongo-tools/common/connstring"
+	"github.com/mongodb/mongo-tools/common/failpoint"
+	"github.com/mongodb/mongo-tools/common/log"
+	"github.com/mongodb/mongo-tools/common/util"
 )
 
 // Gitspec that the tool was built with. Needs to be set using -ldflags
 var (
-	VersionStr = "built-without-version-string"
-	Gitspec    = "built-without-git-spec"
+	VersionStr = "r3.4.14-18-gd0bd6a35"
+	Gitspec    = "d0bd6a3539ed33ae2de254168681e7acbebe74e2"
 )
 
 var (
@@ -120,7 +121,8 @@ type Connection struct {
 	Host string `short:"h" long:"host" value-name:"<hostname>" description:"mongodb host to connect to (setname/host1,host2 for replica sets)"`
 	Port string `long:"port" value-name:"<port>" description:"server port (can also use --host hostname:port)"`
 
-	Timeout int `long:"dialTimeout" default:"3" hidden:"true" description:"dial timeout in seconds"`
+	Timeout             int `long:"dialTimeout" default:"3" hidden:"true" description:"dial timeout in seconds"`
+	TCPKeepAliveSeconds int `long:"TCPKeepAliveSeconds" default:"30" hidden:"true" description:"seconds between TCP keep alives"`
 }
 
 // Struct holding ssl-related options
diff --git a/src/mongo/gotools/common/options/options_openssl.go b/src/mongo/gotools/common/options/options_openssl.go
new file mode 100644
index 00000000000..afb18ab8eb2
--- /dev/null
+++ b/src/mongo/gotools/common/options/options_openssl.go
@@ -0,0 +1,18 @@
+// Copyright (C) MongoDB, Inc. 2014-present.
+//
+// Licensed under the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License. You may obtain
+// a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+
+// +build ssl,!openssl_pre_1.0
+
+package options
+
+import "github.com/10gen/openssl"
+
+func init() {
+	versionInfos = append(versionInfos, versionInfo{
+		key:   "OpenSSL version",
+		value: openssl.Version,
+	})
+}
diff --git a/src/mongo/gotools/common/options/options_ssl.go b/src/mongo/gotools/common/options/options_ssl.go
index 6fcd4da13b3..f9c7f966663 100644
--- a/src/mongo/gotools/common/options/options_ssl.go
+++ b/src/mongo/gotools/common/options/options_ssl.go
@@ -2,14 +2,8 @@
 
 package options
 
-import "github.com/spacemonkeygo/openssl"
-
 func init() {
 	ConnectionOptFunctions = append(ConnectionOptFunctions, registerSSLOptions)
-	versionInfos = append(versionInfos, versionInfo{
-		key:   "OpenSSL version",
-		value: openssl.Version,
-	})
 }
 
 func registerSSLOptions(self *ToolOptions) error {
diff --git a/src/mongo/gotools/common/util/net.go b/src/mongo/gotools/common/util/net.go
new file mode 100644
index 00000000000..1459d4abf95
--- /dev/null
+++ b/src/mongo/gotools/common/util/net.go
@@ -0,0 +1,24 @@
+package util
+
+import (
+	"net"
+	"time"
+)
+
+// EnableTCPKeepAlive enables TCP keepalive on the underlying TCP connection.
+func EnableTCPKeepAlive(conn net.Conn, keepAlivePeriod time.Duration) error {
+	if keepAlivePeriod == 0 {
+		return nil
+	}
+	if tcpconn, ok := conn.(*net.TCPConn); ok {
+		err := tcpconn.SetKeepAlive(true)
+		if err != nil {
+			return err
+		}
+		err = tcpconn.SetKeepAlivePeriod(keepAlivePeriod)
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/src/mongo/gotools/import.data b/src/mongo/gotools/import.data
index f0eee069180..d1d91264483 100644
--- a/src/mongo/gotools/import.data
+++ b/src/mongo/gotools/import.data
@@ -1,5 +1,5 @@
 {
-    "commit": "4f093ae71cdb4c6a6e9de7cd1dc67ea4405f0013", 
+    "commit": "4c5314b404c2d7aac7ceb50133faa3ac4fc3d2ea", 
     "github": "mongodb/mongo-tools.git", 
     "vendor": "tools", 
     "branch": "v3.4"
diff --git a/src/mongo/gotools/mongodump/mongodump.go b/src/mongo/gotools/mongodump/mongodump.go
index 30cb0b2a2d3..3bc6342664f 100644
--- a/src/mongo/gotools/mongodump/mongodump.go
+++ b/src/mongo/gotools/mongodump/mongodump.go
@@ -44,6 +44,7 @@ type MongoDump struct {
 	query           bson.M
 	oplogCollection string
 	oplogStart      bson.MongoTimestamp
+	oplogEnd        bson.MongoTimestamp
 	isMongos        bool
 	authVersion     int
 	archive         *archive.Writer
@@ -358,7 +359,7 @@ func (dump *MongoDump) Dump() (err error) {
 			return fmt.Errorf("error finding oplog: %v", err)
 		}
 		log.Logvf(log.Info, "getting most recent oplog timestamp")
-		dump.oplogStart, err = dump.getOplogStartTime()
+		dump.oplogStart, err = dump.getCurrentOplogTime()
 		if err != nil {
 			return fmt.Errorf("error getting oplog start: %v", err)
 		}
@@ -390,6 +391,11 @@ func (dump *MongoDump) Dump() (err error) {
 	// we check to see if the oplog has rolled over (i.e. the most recent entry when
 	// we started still exist, so we know we haven't lost data)
 	if dump.OutputOptions.Oplog {
+		dump.oplogEnd, err = dump.getCurrentOplogTime()
+		if err != nil {
+			return fmt.Errorf("error getting oplog end: %v", err)
+		}
+
 		log.Logvf(log.DebugLow, "checking if oplog entry %v still exists", dump.oplogStart)
 		exists, err := dump.checkOplogTimestampExists(dump.oplogStart)
 		if !exists {
@@ -402,7 +408,8 @@ func (dump *MongoDump) Dump() (err error) {
 		log.Logvf(log.DebugHigh, "oplog entry %v still exists", dump.oplogStart)
 
 		log.Logvf(log.Always, "writing captured oplog to %v", dump.manager.Oplog().Location)
-		err = dump.DumpOplogAfterTimestamp(dump.oplogStart)
+
+		err = dump.DumpOplogBetweenTimestamps(dump.oplogStart, dump.oplogEnd)
 		if err != nil {
 			return fmt.Errorf("error dumping oplog: %v", err)
 		}
diff --git a/src/mongo/gotools/mongodump/oplog_dump.go b/src/mongo/gotools/mongodump/oplog_dump.go
index b0800ff4318..a4c94d07760 100644
--- a/src/mongo/gotools/mongodump/oplog_dump.go
+++ b/src/mongo/gotools/mongodump/oplog_dump.go
@@ -34,8 +34,8 @@ func (dump *MongoDump) determineOplogCollectionName() error {
 
 }
 
-// getOplogStartTime returns the most recent oplog entry
-func (dump *MongoDump) getOplogStartTime() (bson.MongoTimestamp, error) {
+// getOplogCurrentTime returns the most recent oplog entry
+func (dump *MongoDump) getCurrentOplogTime() (bson.MongoTimestamp, error) {
 	mostRecentOplogEntry := db.Oplog{}
 
 	err := dump.sessionProvider.FindOne("local", dump.oplogCollection, 0, nil, []string{"-$natural"}, &mostRecentOplogEntry, 0)
@@ -65,16 +65,19 @@ func (dump *MongoDump) checkOplogTimestampExists(ts bson.MongoTimestamp) (bool,
 	return true, nil
 }
 
-// DumpOplogAfterTimestamp takes a timestamp and writer and dumps all oplog entries after
-// the given timestamp to the writer. Returns any errors that occur.
-func (dump *MongoDump) DumpOplogAfterTimestamp(ts bson.MongoTimestamp) error {
+// DumpOplogBetweenTimestamps takes two timestamps and writer and dumps all oplog
+// entries between the given timestamp to the writer. Returns any errors that occur.
+func (dump *MongoDump) DumpOplogBetweenTimestamps(start, end bson.MongoTimestamp) error {
 	session, err := dump.sessionProvider.GetSession()
 	if err != nil {
 		return err
 	}
 	defer session.Close()
 	session.SetPrefetch(1.0) // mimic exhaust cursor
-	queryObj := bson.M{"ts": bson.M{"$gt": ts}}
+	queryObj := bson.M{"$and": []bson.M{
+		bson.M{"ts": bson.M{"$gte": start}},
+		bson.M{"ts": bson.M{"$lte": end}},
+	}}
 	oplogQuery := session.DB("local").C(dump.oplogCollection).Find(queryObj).LogReplay()
 	oplogCount, err := dump.dumpQueryToIntent(oplogQuery, dump.manager.Oplog(), dump.getResettableOutputBuffer())
 	if err == nil {
diff --git a/src/mongo/gotools/mongoreplay/main/mongoreplay.go b/src/mongo/gotools/mongoreplay/main/mongoreplay.go
index 5a7fd02c809..cf8e0abee57 100644
--- a/src/mongo/gotools/mongoreplay/main/mongoreplay.go
+++ b/src/mongo/gotools/mongoreplay/main/mongoreplay.go
@@ -4,7 +4,9 @@ import (
 	"github.com/jessevdk/go-flags"
 	"github.com/mongodb/mongo-tools/mongoreplay"
 
+	"fmt"
 	"os"
+	"runtime"
 )
 
 const (
@@ -27,6 +29,11 @@ func main() {
 		os.Exit(ExitOk)
 	}
 
+	if runtime.NumCPU() == 1 {
+		fmt.Fprint(os.Stderr, "mongoreplay must be run with multiple threads")
+		os.Exit(ExitError)
+	}
+
 	opts := mongoreplay.Options{}
 
 	var parser = flags.NewParser(&opts, flags.Default)
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/LICENSE b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/LICENSE
index 37ec93a14fd..37ec93a14fd 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/LICENSE
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/LICENSE
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/README.md b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/README.md
index 6bd3383a0e8..6bd3383a0e8 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/README.md
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/README.md
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/bio.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/bio.go
index 8d0da8998eb..8d0da8998eb 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/bio.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/bio.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/build.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/build.go
index 0425aa5f368..f71e285639a 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/build.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/build.go
@@ -19,6 +19,6 @@ package openssl
 // #cgo linux pkg-config: openssl
 // #cgo windows CFLAGS: -DWIN32_LEAN_AND_MEAN
 // #cgo windows LDFLAGS: -lcrypt32
-// #cgo darwin CFLAGS: -Wno-deprecated-declarations
-// #cgo darwin LDFLAGS: -lssl -lcrypto -framework CoreFoundation -framework Foundation -framework Security
+// #cgo darwin CFLAGS: -Wno-deprecated-declarations -I/usr/include -I/usr/local/opt/openssl/include
+// #cgo darwin LDFLAGS: -L/usr/local/opt/openssl/lib -lssl -lcrypto -framework CoreFoundation -framework Foundation -framework Security
 import "C"
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert.go
index 61637c649fa..61637c649fa 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert_test.go
index c32883ba4eb..c32883ba4eb 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/cert_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/cert_test.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers.go
index 12662707f54..12662707f54 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers.go
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_gcm.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_gcm.go
new file mode 100644
index 00000000000..e184c95e5df
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_gcm.go
@@ -0,0 +1,154 @@
+// Copyright (C) 2017. See AUTHORS.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// +build !openssl_pre_1.0
+
+package openssl
+
+// #include <openssl/evp.h>
+import "C"
+
+import (
+	"errors"
+	"fmt"
+)
+
+type AuthenticatedEncryptionCipherCtx interface {
+	EncryptionCipherCtx
+
+	// data passed in to ExtraData() is part of the final output; it is
+	// not encrypted itself, but is part of the authenticated data. when
+	// decrypting or authenticating, pass back with the decryption
+	// context's ExtraData()
+	ExtraData([]byte) error
+
+	// use after finalizing encryption to get the authenticating tag
+	GetTag() ([]byte, error)
+}
+
+type AuthenticatedDecryptionCipherCtx interface {
+	DecryptionCipherCtx
+
+	// pass in any extra data that was added during encryption with the
+	// encryption context's ExtraData()
+	ExtraData([]byte) error
+
+	// use before finalizing decryption to tell the library what the
+	// tag is expected to be
+	SetTag([]byte) error
+}
+
+type authEncryptionCipherCtx struct {
+	*encryptionCipherCtx
+}
+
+type authDecryptionCipherCtx struct {
+	*decryptionCipherCtx
+}
+
+func getGCMCipher(blocksize int) (*Cipher, error) {
+	var cipherptr *C.EVP_CIPHER
+	switch blocksize {
+	case 256:
+		cipherptr = C.EVP_aes_256_gcm()
+	case 192:
+		cipherptr = C.EVP_aes_192_gcm()
+	case 128:
+		cipherptr = C.EVP_aes_128_gcm()
+	default:
+		return nil, fmt.Errorf("unknown block size %d", blocksize)
+	}
+	return &Cipher{ptr: cipherptr}, nil
+}
+
+func NewGCMEncryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) (
+	AuthenticatedEncryptionCipherCtx, error) {
+	cipher, err := getGCMCipher(blocksize)
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := newEncryptionCipherCtx(cipher, e, key, nil)
+	if err != nil {
+		return nil, err
+	}
+	if len(iv) > 0 {
+		err := ctx.setCtrl(C.EVP_CTRL_GCM_SET_IVLEN, len(iv))
+		if err != nil {
+			return nil, fmt.Errorf("could not set IV len to %d: %s",
+				len(iv), err)
+		}
+		if 1 != C.EVP_EncryptInit_ex(ctx.ctx, nil, nil, nil,
+			(*C.uchar)(&iv[0])) {
+			return nil, errors.New("failed to apply IV")
+		}
+	}
+	return &authEncryptionCipherCtx{encryptionCipherCtx: ctx}, nil
+}
+
+func NewGCMDecryptionCipherCtx(blocksize int, e *Engine, key, iv []byte) (
+	AuthenticatedDecryptionCipherCtx, error) {
+	cipher, err := getGCMCipher(blocksize)
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := newDecryptionCipherCtx(cipher, e, key, nil)
+	if err != nil {
+		return nil, err
+	}
+	if len(iv) > 0 {
+		err := ctx.setCtrl(C.EVP_CTRL_GCM_SET_IVLEN, len(iv))
+		if err != nil {
+			return nil, fmt.Errorf("could not set IV len to %d: %s",
+				len(iv), err)
+		}
+		if 1 != C.EVP_DecryptInit_ex(ctx.ctx, nil, nil, nil,
+			(*C.uchar)(&iv[0])) {
+			return nil, errors.New("failed to apply IV")
+		}
+	}
+	return &authDecryptionCipherCtx{decryptionCipherCtx: ctx}, nil
+}
+
+func (ctx *authEncryptionCipherCtx) ExtraData(aad []byte) error {
+	if aad == nil {
+		return nil
+	}
+	var outlen C.int
+	if 1 != C.EVP_EncryptUpdate(ctx.ctx, nil, &outlen, (*C.uchar)(&aad[0]),
+		C.int(len(aad))) {
+		return errors.New("failed to add additional authenticated data")
+	}
+	return nil
+}
+
+func (ctx *authDecryptionCipherCtx) ExtraData(aad []byte) error {
+	if aad == nil {
+		return nil
+	}
+	var outlen C.int
+	if 1 != C.EVP_DecryptUpdate(ctx.ctx, nil, &outlen, (*C.uchar)(&aad[0]),
+		C.int(len(aad))) {
+		return errors.New("failed to add additional authenticated data")
+	}
+	return nil
+}
+
+func (ctx *authEncryptionCipherCtx) GetTag() ([]byte, error) {
+	return ctx.getCtrlBytes(C.EVP_CTRL_GCM_GET_TAG, GCM_TAG_MAXLEN,
+		GCM_TAG_MAXLEN)
+}
+
+func (ctx *authDecryptionCipherCtx) SetTag(tag []byte) error {
+	return ctx.setCtrlBytes(C.EVP_CTRL_GCM_SET_TAG, len(tag), tag)
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_test.go
index d1d430b1e15..9f5d27ab1c3 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ciphers_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ciphers_test.go
@@ -13,6 +13,7 @@
 // limitations under the License.
 
 // +build !darwin
+// +build !openssl_pre_1.0
 
 package openssl
 
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/conn.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/conn.go
index 992033d2a30..f77fb4d61b9 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/conn.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/conn.go
@@ -48,7 +48,7 @@ import (
 	"time"
 	"unsafe"
 
-	"github.com/spacemonkeygo/openssl/utils"
+	"github.com/10gen/openssl/utils"
 )
 
 var (
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx.go
index 8daa1bbbb1f..8daa1bbbb1f 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx_test.go
index 9644e518bf3..9644e518bf3 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ctx_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ctx_test.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/dhparam.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dhparam.go
index a698645c1ec..a698645c1ec 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/dhparam.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/dhparam.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/digest.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/digest.go
index 44d4d001b13..44d4d001b13 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/digest.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/digest.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/engine.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/engine.go
index 7a175b70f7c..7a175b70f7c 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/engine.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/engine.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/fips.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips.go
index cc463f17a18..fcccb000a36 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/fips.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips.go
@@ -1,5 +1,5 @@
 // +build cgo
-// +build -darwin
+// +build !darwin
 
 package openssl
 
@@ -20,3 +20,10 @@ func FIPSModeSet(mode bool) error {
 	}
 	return nil
 }
+
+func FIPSMode() bool {
+	if C.FIPS_mode() == 0 {
+		return false
+	}
+	return true
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips_test.go
new file mode 100644
index 00000000000..63d353b4a41
--- /dev/null
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/fips_test.go
@@ -0,0 +1,33 @@
+// +build !darwin
+
+package openssl_test
+
+import (
+	"testing"
+
+	"github.com/10gen/openssl"
+)
+
+func TestSetFIPSMode(t *testing.T) {
+	if openssl.FIPSMode() {
+		t.Fatal("Expected FIPS mode to be disabled, but was enabled")
+	}
+
+	err := openssl.FIPSModeSet(true)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if !openssl.FIPSMode() {
+		t.Fatal("Expected FIPS mode to be enabled, but was disabled")
+	}
+
+	err = openssl.FIPSModeSet(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if openssl.FIPSMode() {
+		t.Fatal("Expected FIPS mode to be disabled, but was enabled")
+	}
+}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.c
index 9a610292067..9a610292067 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.go
index c1d1202fb65..c1d1202fb65 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/hostname.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/hostname.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/http.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/http.go
index e3be32c264a..e3be32c264a 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/http.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/http.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init.go
index 314e5415c18..314e5415c18 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_posix.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_posix.go
index 99558298e3a..99558298e3a 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_posix.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_posix.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_windows.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_windows.go
index ec817926b7a..ec817926b7a 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/init_windows.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/init_windows.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key.go
index cc17f5fcf7d..cc17f5fcf7d 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_test.go
index 0af90128530..0af90128530 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/key_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/key_test.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/mapping.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/mapping.go
index 066aba6b5db..066aba6b5db 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/mapping.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/mapping.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/net.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/net.go
index 0d9d72b0e00..7120d065d15 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/net.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/net.go
@@ -80,6 +80,27 @@ func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) {
 	return DialSession(network, addr, ctx, flags, nil)
 }
 
+// DialWithDialer will connect to network/address using the provided dialer and
+// then wrap the corresponding underlying connection with an OpenSSL client
+// connection using context ctx. If flags includes InsecureSkipHostVerification,
+// the server certificate's hostname will not be checked to match the hostname
+// in addr. Otherwise, flags should be 0.
+//
+// Dial probably won't work for you unless you set a verify location or add
+// some certs to the certificate store of the client context you're using.
+// This library is not nice enough to use the system certificate store by
+// default for you yet.
+func DialWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) {
+	return dialSessionWithDialer(
+		dialer,
+		network,
+		addr,
+		ctx,
+		flags,
+		nil,
+	)
+}
+
 // DialSession will connect to network/address and then wrap the corresponding
 // underlying connection with an OpenSSL client connection using context ctx.
 // If flags includes InsecureSkipHostVerification, the server certificate's
@@ -95,6 +116,18 @@ func Dial(network, addr string, ctx *Ctx, flags DialFlags) (*Conn, error) {
 // can be retrieved from the GetSession method on the Conn.
 func DialSession(network, addr string, ctx *Ctx, flags DialFlags,
 	session []byte) (*Conn, error) {
+	return dialSessionWithDialer(
+		new(net.Dialer),
+		network,
+		addr,
+		ctx,
+		flags,
+		session,
+	)
+}
+
+func dialSessionWithDialer(dialer *net.Dialer, network, addr string, ctx *Ctx, flags DialFlags,
+	session []byte) (*Conn, error) {
 
 	host, _, err := net.SplitHostPort(addr)
 	if err != nil {
@@ -108,7 +141,7 @@ func DialSession(network, addr string, ctx *Ctx, flags DialFlags,
 		}
 		// TODO: use operating system default certificate chain?
 	}
-	c, err := net.Dial(network, addr)
+	c, err := dialer.Dial(network, addr)
 	if err != nil {
 		return nil, err
 	}
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/nid.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/nid.go
index c80f237b605..c80f237b605 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/nid.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/nid.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/oracle_stubs.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/oracle_stubs.go
index 30492f3b9d8..30492f3b9d8 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/oracle_stubs.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/oracle_stubs.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/password.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/password.c
index db9582ca726..db9582ca726 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/password.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/password.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/pem.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/pem.go
index 6dad5972dbd..6dad5972dbd 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/pem.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/pem.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1.go
index 2592b6627d1..2592b6627d1 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1_test.go
index 37037e4468b..37037e4468b 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha1_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha1_test.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256.go
index 6785b32f881..6785b32f881 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256_test.go
index 89df88afd44..89df88afd44 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sha256_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sha256_test.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni.c
index 5398da869b8..5398da869b8 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni_test.go
index ee3b1a8bbaf..ee3b1a8bbaf 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/sni_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/sni_test.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl.go
index 3cc630601d3..3cc630601d3 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl_test.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl_test.go
index f83225dec97..0c088c2eed0 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/ssl_test.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/ssl_test.go
@@ -25,7 +25,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/spacemonkeygo/openssl/utils"
+	"github.com/10gen/openssl/utils"
 )
 
 var (
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.c
index 056f524aa1e..056f524aa1e 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.go
index 9751622f837..9751622f837 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/system_certs.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/system_certs.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/tickets.c
index 894c2676038..894c2676038 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/tickets.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/tickets.go
index 23dc3e08305..23dc3e08305 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/tickets.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/tickets.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/errors.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/errors.go
index bab314c95d7..bab314c95d7 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/errors.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/errors.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/future.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/future.go
index fa1bbbfb861..fa1bbbfb861 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/utils/future.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/utils/future.go
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/verify.c b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/verify.c
index d55866c4cf0..d55866c4cf0 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/verify.c
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/verify.c
diff --git a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/version.go b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/version.go
index 8f3d392cde8..8f3d392cde8 100644
--- a/src/mongo/gotools/vendor/src/github.com/spacemonkeygo/openssl/version.go
+++ b/src/mongo/gotools/vendor/src/github.com/10gen/openssl/version.go