-
Type:
New Feature
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: 1.4.0
-
Component/s: None
-
Labels:
The server supports the following configuration options:
- --sslCipherConfig (source)
Undocumented cipher list override (e.g. removeAES-GCM) - --sslDisabledProtocols (source)
Explicitly disable TLSv1, TLSv1.1 or TLSv1.2 - --sslAllowConnectionsWithoutCertificates AKA --sslWeakCertificateValidation (source)
Allow clients to not provide certificate. If it does though, validate it. - --sslAllowInvalidCertificates (source and source)
If certificate validation fails by OpenSSL certification checks, still allow it. Also allow invalid hostnames - --sslAllowInvalidHostname (source)
Allow certificate hostname mismatch to fail (use Subject Alternate Name if exists, otherwise most specific Common Name field in subject).
The OpenSSL built-in checks seem light, and the docs say only:
"The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer's certificate. At each level signatures and issuer attributes are checked. "
The server does the following checks:
- Certificate expiration (source)
- CRL check if --sslCRLFile is provided (source and source)
Verifies the chain leaf (NOT entire chain) - Certificate issued by specific, or any of the provided CAs (source)
It furthermore explicitly disables:
- SSLv2
- SSLv3
It activates all "bug workaround options" in OpenSSL...
Currently we only support weak_cert_validation which equals to --sslAllowInvalidHostname.
If provided with ca_file, it is used.
If provided with crl_file, it is used.
- is related to
-
CDRIVER-1231 Allow to use system crypto policies
-
- Closed
-
- related to
-
CDRIVER-842 Allow for more finegrained SSL connection control regarding invalid hostnames and invalid certificate flags
-
- Closed
-