Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-842

Allow for more finegrained SSL connection control regarding invalid hostnames and invalid certificate flags

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 1.4.0
    • None
    • libmongoc, tls

    Description

      The mongo client has two options that deal with invalid/incorrect certificates:

        --sslAllowInvalidHostnames         allow connections to servers with 
                                           non-matching hostnames
        --sslAllowInvalidCertificates      allow connections to servers with invalid 
                                           certificates
      

      But the C driver only has a flag in ssl_opts to turn off invalid certificate checking (weak_cert_validation): http://api.mongodb.org/c/current/mongoc_ssl_opt_t.html

      PHP's SSL layer has something similar through its ``verify_peer_name`` and ``allow_self_signed`` SSL context options.

      This currently means, that by using the CDRIVER in Hippo, I can't make all tests pass, as the peer name ("server") does not match the server name as in CDRIVER-841. I can turn on ``allow_self_signed`` to allow connecting, but that's more than I should be having to do. Allowing an extra option specifically for peer verification would be required to allow Hippo to past the Phongo tests.

      Attachments

        Activity

          People

            bjori Hannes Magnusson
            derick Derick Rethans
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: