[CDRIVER-1157] Verify certificates during handshake Created: 14/Mar/16  Updated: 10/Aug/16  Resolved: 23/Mar/16

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.4.0

Type: Improvement Priority: Major - P3
Reporter: Hannes Magnusson Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by CDRIVER-1155 Use OpenSSLs hostname verification Closed
Related
is related to CDRIVER-1154 Missing Certificate Verification on r... Closed
Epic Link: TLS Improvements

 Description   

Our current TLS abstraction does certificate verification as a completely seperate step after TLS handshake.

This is very risky business and resulted in CDRIVER-1154.

The protocol says you should do the certificate (and therefore hostname!) check during the handshake.
This has the added benefit of failed check will result in an tls alert which mongod will log, over the just random closed connection.



 Comments   
Comment by Githook User [ 23/Mar/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-1157: Verify certificates during handshake

This simplifies the OpenSSL code a lot, while this was already
the case in Secure Transport

Note that the previous functions have been deprecated and
always return false now.
We cannot remove them due to ABI, but there is no chance
a user of the driver would have been calling them intentionally
since he would have to get a hold of the stream between
us creating it, and before we even run ismaster on it.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/8e0a6f53e3443259264ef5034ad40139afaace10

Generated at Wed Feb 07 21:11:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.