[SERVER-7202] SSL/TLS certificate validation support Created: 28/Sep/12  Updated: 19/Mar/13  Resolved: 17/Dec/12

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.3.2

Type: Improvement Priority: Major - P3
Reporter: Eric Milkie Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Gantt Dependency
has to be done before SERVER-7961 Use x.509 certificates for authentica... Closed
Related
is related to SERVER-524 Encryption of wire protocol with SSL Closed
Participants:

 Description   

Master issue for implementing TLS certificate validation support



 Comments   
Comment by auto [ 13/Jan/13 ]

Author:

{u'date': u'2013-01-13T17:04:37Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 test expired CRL for SSL
Branch: master
https://github.com/mongodb/mongo/commit/36253b27bf227cf3919d4813dd0199caef3b17fb

Comment by auto [ 14/Dec/12 ]

Author:

{u'date': u'2012-12-14T16:24:36Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 adding tests for ssl private key password checking
Branch: master
https://github.com/mongodb/mongo/commit/13f77588a6a9997db841a5583a69ac961f3eb01c

Comment by auto [ 14/Dec/12 ]

Author:

{u'date': u'2012-12-13T21:42:11Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 add parameter to force client certificate checks
Branch: master
https://github.com/mongodb/mongo/commit/d85c100dd270544f3f43d871cacc313c99f5cbea

Comment by auto [ 14/Dec/12 ]

Author:

{u'date': u'2012-12-13T21:03:10Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 add CRL support for SSL
Branch: master
https://github.com/mongodb/mongo/commit/6f7a0dde58625d291c09d76e94fde77ef92a0420

Comment by auto [ 14/Dec/12 ]

Author:

{u'date': u'2012-12-13T15:59:16Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 tests for CRL
Branch: master
https://github.com/mongodb/mongo/commit/11f68e6353df398d2c87b13d1cb3eccf4e80a7a1

Comment by auto [ 12/Dec/12 ]

Author:

{u'date': u'2012-12-12T15:58:23Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 replace a local error string function with an openssl-provided one
Branch: master
https://github.com/mongodb/mongo/commit/9a8c4039a5204a55429fb2707f44b88741d1f605

Comment by auto [ 11/Dec/12 ]

Author:

{u'date': u'2012-12-11T20:51:23Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 cleanup SSLManager management

Rather than a single global Manager,
we now have one per Listener on the server, plus a global for client use
that is mutex-protected.
Branch: master
https://github.com/mongodb/mongo/commit/21e5ca09c42ec7ae7e1efe10f37e21082a5e9c15

Comment by auto [ 11/Dec/12 ]

Author:

{u'date': u'2012-12-11T16:16:58Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 test with certificates

Adjust unit tests to present certificates for validation at SSL handshake time.
Branch: master
https://github.com/mongodb/mongo/commit/1dfaa36f44989f41eadc1b7d8e108ca105be3a55

Comment by auto [ 11/Dec/12 ]

Author:

{u'date': u'2012-12-11T14:59:53Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 SSL certificate validation in both directions

New command line flag --sslCAFile specifies a file containing certificates
for the certificate authority. This flag is supported on mongod, mongos, and mongo
shell.

mongo shell now supports --sslPEMKeyFile and --sslPEMKeyPassword to specify the
client certificate presented as part of the SSL handshake when connecting to a server.

Note that certificate validation is not forced; validation only currently occurs
if the client presents a certificate. Note that CRL or OSCP remains unimplemented,
and there is not yet a way to restrict the cipher used.

Note that all of these features require --ssl parameter passed to scons at build time.
Branch: master
https://github.com/mongodb/mongo/commit/4c3f61e55a81c98da1692d79ee6e27876cc209d2

Comment by auto [ 05/Dec/12 ]

Author:

{u'date': u'2012-12-04T18:33:24Z', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-7202 add support for ssl smoke testing
Branch: master
https://github.com/mongodb/mongo/commit/7c50653c5548c816ad890dc00859e83c65f8aabc

Comment by auto [ 04/Dec/12 ]

Author:

{u'date': u'2012-12-03T19:40:49Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 proper error handling framework for SSL

1. change "postFork()" to "doSSLHandshake()"
2. properly catch socket exceptions thrown by doSSLHandshake
3. properly handle error statuses from SSL_new, SSL_set_fd, SSL_connect,
SSL_accept
4. thread-safe implementation to fetch error text from SSL errors
(_getSSLErrorMessage)
5. check that private key and certificate match each other at startup time
Branch: master
https://github.com/mongodb/mongo/commit/e4de169d6ac4e34a5e30d6d70db7d32a55555467

Comment by auto [ 27/Nov/12 ]

Author:

{u'date': u'2012-11-26T21:13:24Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 cleanup socket error handling for SSL

Comment by auto [ 26/Nov/12 ]

Author:

{u'date': u'2012-11-26T21:07:02Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-7202 properly handle renegotiation in SSL_send() and SSL_recv()
Branch: master
https://github.com/mongodb/mongo/commit/736bcf0b8b51e9baea921952f7cfc0a387d6c404

Generated at Thu Feb 08 03:13:53 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.