[CDRIVER-1182] Load Windows trusted CA by default when no CA configured Created: 30/Mar/16  Updated: 10/Aug/16  Resolved: 14/Jul/16

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.4.0
Fix Version/s: 1.4.0

Type: New Feature Priority: Major - P3
Reporter: Hannes Magnusson Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: intern2016
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on CDRIVER-1142 Load default distribution CAs if no c... Closed
Related
related to DRIVERS-214 Default to verifying certificates aga... Closed
is related to SERVER-23044 Fall back to system CA certs in the s... Closed
is related to DRIVERS-302 Test connections to Mango Closed
Epic Link: TLS Improvements

 Description   

The server will be making providing an explicit CA optional, and default on the system provided (OpenSSL) defaults.

We do the same as of CDRIVER-1142, but OpenSSL doesn't ship with default certificates and it appears rare that people explicitly fetch the Mozilla bundle or other bundles.

We can, and should, trust the Windows cert store for this.

When no explicit CA option is provided (mongoc_ssl_opt_t.ca_file and .ca_dir) we should extract the CAs from the Windows cert store and load them into OpenSSL.

Even though we'll support Windows native Secure Channel, I think we should still do this for those resisting and continue to use OpenSSL on Windows.



 Comments   
Comment by Githook User [ 14/Jul/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-1182: Import CAs from the Windows Cert store to OpenSSL
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/7857d6c486c44eb0355a907ee52f9cb9d860587d

Generated at Wed Feb 07 21:11:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.