Loading...

XML

Word

Printable

JSON

Type: New Feature
Resolution: Done
Priority: Major - P3
Fix Version/s: 1.4.0
Affects Version/s: 1.4.0
Component/s: None
Labels:
- intern2016

Epic Link:
TLS Improvements
Confidence Status:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

The server will be making providing an explicit CA optional, and default on the system provided (OpenSSL) defaults.

We do the same as of ~~CDRIVER-1142~~, but OpenSSL doesn't ship with default certificates and it appears rare that people explicitly fetch the Mozilla bundle or other bundles.

We can, and should, trust the Windows cert store for this.

When no explicit CA option is provided (mongoc_ssl_opt_t.ca_file and .ca_dir) we should extract the CAs from the Windows cert store and load them into OpenSSL.

—

Even though we'll support Windows native Secure Channel, I think we should still do this for those resisting and continue to use OpenSSL on Windows.

depends on

CDRIVER-1142 Load default distribution CAs if no ca_file and ca_dir are provided

Closed

is related to

SERVER-23044 Fall back to system CA certs in the shell if CA file isn't provided

Closed

DRIVERS-302 Test connections to Mango

Closed

related to

DRIVERS-214 Default to verifying certificates against default CA certificates

Closed

Assignee:: Hannes Magnusson (Inactive)

Reporter:: Hannes Magnusson (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: Mar 30 2016 02:50:04 PM UTC

Updated:: Aug 10 2016 10:10:58 PM UTC

Resolved:: Jul 14 2016 06:32:31 PM UTC

Confidence Status Last Update:: 13/Jul/16 11:15 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates