[JAVA-1173] SSL connections do not verify certificate hostnames Created: 18/Apr/14 Updated: 13/Apr/16 Resolved: 16/Mar/15 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | Connection Management |
| Affects Version/s: | 2.11.2, 2.12.0 |
| Fix Version/s: | 3.0.0 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | John Morales | Assignee: | Jeffrey Yemin |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Description |
|
Overview Currently this hostname verification is not performed when communicating with SSL-enabled MongoDB. Details One apparent option might be to modify the SSLParameters of the SSLContext used to create your SSLSocketFactory and specify an endpoint identification algorithm. Unfortunately, however, it appears the JDK's implementation only respects a subset of the SSLParameters at the factory level, and identificationAlgorithm is not one of them: SSLSocketImpl.java (line 2408). Another option would be to set the algorithm on each socket created by the factory. I did try a quick POC of this option by adding the snippet below to DBPort.java on 2.11.2.
While this wouldn't be the only place requiring the code change, this did do the trick for my standalone MongoDB test. In that connecting with the matching hostname was allowed, while using an alias of the hostname was rejected:
(IMO, I think an argument could be make this is a JDK bug. Given my (limited) understanding of x.509 I would've expected the verification to be handled automatically behind the scenes and by default. Especially given the proposed workaround above relies on using the identification algorithm of "HTTPS", which is clearly out of place in this context. Relevant JDK source: |
| Comments |
| Comment by Jeffrey Yemin [ 31/Mar/15 ] | ||
|
Closing all resolved 3.0.0 issues, as 3.0.0 has been tagged and released. | ||
| Comment by Githook User [ 17/Mar/15 ] | ||
|
Author: {u'username': u'jyemin', u'name': u'Jeff Yemin', u'email': u'jeff.yemin@10gen.com'}Message: Fixed SSL hostname verification for Netty | ||
| Comment by Githook User [ 16/Mar/15 ] | ||
|
Author: {u'username': u'jyemin', u'name': u'Jeff Yemin', u'email': u'jeff.yemin@10gen.com'}Message: Temporarily allowing invalid SSL host names during test runs. | ||
| Comment by Githook User [ 16/Mar/15 ] | ||
|
Author: {u'username': u'jyemin', u'name': u'Jeff Yemin', u'email': u'jeff.yemin@10gen.com'}Message: Enabled HTTPS endpoint identification for SSL sockets by default, which introduces a dependency on Java 7, | ||
| Comment by Jeffrey Yemin [ 12/Dec/14 ] | ||
|
Since the driver allows the SocketFactory to be configured, clients can work around this by wrapping SSLSocketFactory and implementing the required checks there (presumably in a non-portable fashion, as in the suggestion in the description). | ||
| Comment by Jeffrey Yemin [ 18/Apr/14 ] | ||
|
We'll have to think about this. The use of "HTTPS" clearly is relying on the implementation of a particular version of a particular JDK. There's nothing in the spec that dictates what the behavior of this is required to be. I'm thinking we need something more general. If we had a generic event system, we could do something like this:
But figuring out just the right set of events will be a project in and of itself. |