[CDRIVER-1182] Load Windows trusted CA by default when no CA configured - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Closed
Priority: Major - P3
Resolution: Done
Affects Version/s: 1.4.0
Fix Version/s: 1.4.0
Component/s: None
Labels:
- intern2016

Epic Link:
TLS Improvements

Description

The server will be making providing an explicit CA optional, and default on the system provided (OpenSSL) defaults.

We do the same as of ~~CDRIVER-1142~~, but OpenSSL doesn't ship with default certificates and it appears rare that people explicitly fetch the Mozilla bundle or other bundles.

We can, and should, trust the Windows cert store for this.

When no explicit CA option is provided (mongoc_ssl_opt_t.ca_file and .ca_dir) we should extract the CAs from the Windows cert store and load them into OpenSSL.

—

Even though we'll support Windows native Secure Channel, I think we should still do this for those resisting and continue to use OpenSSL on Windows.

Attachments

Issue Links

depends on

CDRIVER-1142 Load default distribution CAs if no ca_file and ca_dir are provided

Closed

is related to

SERVER-23044 Fall back to system CA certs in the shell if CA file isn't provided

Closed

DRIVERS-302 Test connections to Mango

Closed

related to

DRIVERS-214 Default to verifying certificates against default CA certificates

Closed

Activity

People

Assignee:: Hannes Magnusson

Reporter:: Hannes Magnusson

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: Mar 30 2016 02:50:04 PM UTC

Updated:: Aug 10 2016 10:10:58 PM UTC

Resolved:: Jul 14 2016 06:32:31 PM UTC