[SERVER-10330] Perform SSL server certificate validation in the C++ driver Created: 25/Jul/13  Updated: 30/Oct/15  Resolved: 12/Nov/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.1
Fix Version/s: 2.5.4

Type: New Feature Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
is related to SERVER-11107 By default, mongod should not start w... Closed
Participants:

 Description   

Implement a hostname check of the server on the client side. Check SAN match first and then CN.
Also, check that the server certificate is currently valid (not expired, and not 'not-yet-valid').

These behaviors should be configurable before first-use of the driver, by manipulating the process-global connection ssl configuration state (formerly cmdLine.sslOnNormalPorts).



 Comments   
Comment by auto [ 12/Nov/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-10330 Fixed build failure on enterprise builds
Branch: master
https://github.com/mongodb/mongo/commit/0be500e771b210650741d5b5783896d4dff2679a

Comment by auto [ 12/Nov/13 ]

Author:

{u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}

Message: SERVER-10330 Fix compile.
Branch: master
https://github.com/mongodb/mongo/commit/530c21a9f87b971aa149e80af778fa48473b7e75

Comment by Andreas Nilsson [ 12/Nov/13 ]

From 2.5.4 we will be performing hostname validation of the server certificates in the C++ driver. That is if the name listed in the CN or SAN fields of the certificate does not match the actual host name the connection will be terminated. We should probably document this for setting up SSL-enabled clusters.

This applies to both the shell/C++ driver and for server-server connections within a cluster.

For both the server and client there is a new cmd line param to override this behavior called --sslAllowInvalidCertificates. This new flag will not only override hostname validation checks but also invalid certificates in general.

Comment by auto [ 12/Nov/13 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-10330 SERVER-11195 SSL server hostname validation
Branch: master
https://github.com/mongodb/mongo/commit/b5d36ec05cd4f22e02a8b4143954980946710648

Comment by Andy Schwerin [ 15/Oct/13 ]

No, I would add a separate configuration variable, the "server certificate validation mode", maybe?

Comment by Andreas Nilsson [ 15/Oct/13 ]

schwerin Are you suggesting we expand the context of sslMode to include validation or not? If so how do we support "multidimensional" configurations? That is how to concurrently represent:

communication mode: noSSL/acceptSSL/sendAcceptSSL/sslOnly
validation mode: on/off

Generated at Thu Feb 08 03:22:52 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.