[SERVER-10330] Perform SSL server certificate validation in the C++ driver Created: 25/Jul/13 Updated: 30/Oct/15 Resolved: 12/Nov/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.5.1 |
| Fix Version/s: | 2.5.4 |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Participants: | |||||||||||||
| Description |
|
Implement a hostname check of the server on the client side. Check SAN match first and then CN. These behaviors should be configurable before first-use of the driver, by manipulating the process-global connection ssl configuration state (formerly cmdLine.sslOnNormalPorts). |
| Comments |
| Comment by auto [ 12/Nov/13 ] |
|
Author: {u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}Message: |
| Comment by auto [ 12/Nov/13 ] |
|
Author: {u'username': u'andy10gen', u'name': u'Andy Schwerin', u'email': u'schwerin@10gen.com'}Message: |
| Comment by Andreas Nilsson [ 12/Nov/13 ] |
|
From 2.5.4 we will be performing hostname validation of the server certificates in the C++ driver. That is if the name listed in the CN or SAN fields of the certificate does not match the actual host name the connection will be terminated. We should probably document this for setting up SSL-enabled clusters. This applies to both the shell/C++ driver and for server-server connections within a cluster. For both the server and client there is a new cmd line param to override this behavior called --sslAllowInvalidCertificates. This new flag will not only override hostname validation checks but also invalid certificates in general. |
| Comment by auto [ 12/Nov/13 ] |
|
Author: {u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}Message: |
| Comment by Andy Schwerin [ 15/Oct/13 ] |
|
No, I would add a separate configuration variable, the "server certificate validation mode", maybe? |
| Comment by Andreas Nilsson [ 15/Oct/13 ] |
|
schwerin Are you suggesting we expand the context of sslMode to include validation or not? If so how do we support "multidimensional" configurations? That is how to concurrently represent: communication mode: noSSL/acceptSSL/sendAcceptSSL/sslOnly |