[CDRIVER-1133] Add support for SSL verification options matching the server Created: 23/Feb/16 Updated: 10/Aug/16 Resolved: 18/Jul/16 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | 1.4.0 |
| Fix Version/s: | 1.4.0 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Hannes Magnusson | Assignee: | Hannes Magnusson |
| Resolution: | Done | Votes: | 0 |
| Labels: | intern2016 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Epic Link: | TLS Improvements | ||||||||||||
| Description |
|
The server supports the following configuration options:
The OpenSSL built-in checks seem light, and the docs say only: The server does the following checks:
It furthermore explicitly disables:
It activates all "bug workaround options" in OpenSSL... Currently we only support weak_cert_validation which equals to --sslAllowInvalidHostname. |
| Comments |
| Comment by Hannes Magnusson [ 14/Jul/16 ] | ||
|
We now support all the above mentioned things expect for sslDisabledProtocols and sslCipherConfig – which are a bit problematic to implement cross TLS libraries. I'm thinking maybe we should expose the individual "contexts" as callbacks and allow the app to configure it accordingly? This would be
That would allow applications to tune these things as they see fit, irregardless of our recommendation. It also allows them to set some configuration values if we are behind on setting them, or only set them in later versions etc etc. | ||
| Comment by A. Jesse Jiryu Davis [ 16/Jun/16 ] | ||
|
Thanks bjori. Can you update the description with a specific series of tasks that must be accomplished in order to complete this, please? | ||
| Comment by Hannes Magnusson [ 16/Jun/16 ] | ||
|
The description is still fully correct. We already support "weak" (e.g. 'none') validation, and hostname. None of the others. | ||
| Comment by A. Jesse Jiryu Davis [ 16/Jun/16 ] | ||
|
bjori I'm left confused by this. Is there a specific task we need to do to close this ticket? | ||
| Comment by Bernie Hackett [ 15/Mar/16 ] | ||
|
Yeah, good point. Well, using CERT_OPTIONAL in python doesn't hurt anything, it's just pointless. | ||
| Comment by A. Jesse Jiryu Davis [ 15/Mar/16 ] | ||
|
Supporting what Hannes said above, if you try to start mongod without a cert it quits:
(Tested with 3.2.) | ||
| Comment by Bernie Hackett [ 15/Mar/16 ] | ||
|
That's interesting. The Python ssl module docs make no distinction. https://docs.python.org/2/library/ssl.html#ssl.CERT_OPTIONAL That means our support for this option in PyMongo is completely pointless... | ||
| Comment by Hannes Magnusson [ 14/Mar/16 ] | ||
|
Turns out. We don't need to. Since it is a protocol error for the server to not send its certificate this flag is noop in client mode.
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html | ||
| Comment by Bernie Hackett [ 14/Mar/16 ] | ||
|
For weak_cert_validation I think you just want SSL_VERIFY_PEER. The default should be SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT. | ||
| Comment by Hannes Magnusson [ 14/Mar/16 ] | ||
|
Note: We should probably set SSL_VERIFY_FAIL_IF_NO_PEER_CERT even for the generic weak_cert_validation option? | ||
| Comment by Hannes Magnusson [ 23/Feb/16 ] | ||
|
We also need to document these. our current weak_cert_validation doesn't say anything about what validation it weakens. |