Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-842

Allow for more finegrained SSL connection control regarding invalid hostnames and invalid certificate flags

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.4.0
    • Affects Version/s: None
    • Component/s: libmongoc, tls

      The mongo client has two options that deal with invalid/incorrect certificates:

        --sslAllowInvalidHostnames         allow connections to servers with 
                                     non-matching hostnames
  --sslAllowInvalidCertificates      allow connections to servers with invalid 
                                     certificates

      But the C driver only has a flag in ssl_opts to turn off invalid certificate checking (weak_cert_validation): http://api.mongodb.org/c/current/mongoc_ssl_opt_t.html

      PHP's SSL layer has something similar through its ``verify_peer_name`` and ``allow_self_signed`` SSL context options.

      This currently means, that by using the CDRIVER in Hippo, I can't make all tests pass, as the peer name ("server") does not match the server name as in CDRIVER-841. I can turn on ``allow_self_signed`` to allow connecting, but that's more than I should be having to do. Allowing an extra option specifically for peer verification would be required to allow Hippo to past the Phongo tests.

            Assignee:
            bjori Hannes Magnusson
            Reporter:
            derick Derick Rethans
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: