Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-1133

Add support for SSL verification options matching the server

    • Type: Icon: New Feature New Feature
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.4.0
    • Affects Version/s: 1.4.0
    • Component/s: None

      The server supports the following configuration options:

      • --sslCipherConfig (source)
        Undocumented cipher list override (e.g. remove AES-GCM)
      • --sslDisabledProtocols (source)
        Explicitly disable TLSv1, TLSv1.1 or TLSv1.2
      • --sslAllowConnectionsWithoutCertificates AKA --sslWeakCertificateValidation (source)
        Allow clients to not provide certificate. If it does though, validate it.
      • --sslAllowInvalidCertificates (source and source)
        If certificate validation fails by OpenSSL certification checks, still allow it. Also allow invalid hostnames
      • --sslAllowInvalidHostname (source)
        Allow certificate hostname mismatch to fail (use Subject Alternate Name if exists, otherwise most specific Common Name field in subject).

      The OpenSSL built-in checks seem light, and the docs say only:
      "The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. "

      The server does the following checks:

      • Certificate expiration (source)
      • CRL check if --sslCRLFile is provided (source and source)
        Verifies the chain leaf (NOT entire chain)
      • Certificate issued by specific, or any of the provided CAs (source)

      It furthermore explicitly disables:

      • SSLv2
      • SSLv3

      It activates all "bug workaround options" in OpenSSL...


      Currently we only support weak_cert_validation which equals to --sslAllowInvalidHostname.
      If provided with ca_file, it is used.
      If provided with crl_file, it is used.

            Assignee:
            bjori Hannes Magnusson
            Reporter:
            bjori Hannes Magnusson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: