[DRIVERS-124] Perform SSL server certificate validation in the drivers Created: 15/Oct/13  Updated: 15/May/19  Resolved: 09/Jun/16

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Andy Schwerin Assignee: Barrie Segal
Resolution: Done Votes: 0
Labels: newdriver
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on RUST-159 Perform SSL server certificate valida... Closed
depends on PYTHON-1072 Test validation of peer cert notBefor... Closed
depends on PYTHON-1073 Support CRL files Closed
Duplicate
Related
related to DRIVERS-302 Test connections to Mango Closed
related to DRIVERS-65 SSL certificate validation testing Closed
is related to NODE-946 Not performing SSL server certificate... Closed
Epic Link: Authentication
Driver Compliance:
Key Status/Resolution FixVersion
PYTHON-1072 Done 3.3
PYTHON-1073 Done 3.3
SWIFT-471 Fixed 0.2.0
RUST-159 Done

 Description   

Like SERVER-10330, but for all drivers that support SSL. Drivers should by default refuse to connect to servers that present expired certificates, certificates that are not-yet-valid, certificates that do not match the host name that the client tried to connect to, certificates with bad signatures and revoked certificates, at least.

This behavior should be configurable by client code, in case the client intentionally wishes to ignore that the server's certificate is bad.



 Comments   
Comment by Bernie Hackett [ 09/Jun/16 ]

Resolving again. Extensive testing proves that, unlike hostname matching, OpenSSL (at least as used in python's ssl module) always verifies notBefore and notAfter. CRL support is now implemented for python versions that support it.

Comment by Bernie Hackett [ 03/May/16 ]

Reopening, since it turns out PyMongo doesn't do notBefore and notAfter parsing. See PYTHON-1072. PyMongo also needs to support CRL files, when possible. See PYTHON-1073.

Comment by Andrew Morrow (Inactive) [ 03/Mar/15 ]
  • Validating for legacy C++ driver as we do not plan to make changes to SSL support
  • Validating for C+11 as C+11 driver wraps the C driver, which is already validated.
Generated at Thu Feb 08 08:20:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.