<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:11:40 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-1133] Add support for SSL verification options matching the server</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-1133</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt;The server supports the &lt;a href=&quot;https://docs.mongodb.org/manual/reference/configuration-options/#net.ssl.allowConnectionsWithoutCertificates&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;following configuration options&lt;/a&gt;:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;&lt;tt&gt;&amp;#45;-sslCipherConfig&lt;/tt&gt; (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L596-L611&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;br/&gt;
  Undocumented cipher list override (e.g. remove &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-16073&quot; title=&quot;Allow disabling SSL Ciphers via hidden flag: sslCipherConfig&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-16073&quot;&gt;&lt;del&gt;AES-GCM&lt;/del&gt;&lt;/a&gt;)&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;&amp;#45;-sslDisabledProtocols&lt;/tt&gt; (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L581-L594&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;br/&gt;
  Explicitly disable TLSv1, TLSv1.1 or TLSv1.2&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;&amp;#45;-sslAllowConnectionsWithoutCertificates&lt;/tt&gt; AKA &lt;tt&gt;&amp;#45;-sslWeakCertificateValidation&lt;/tt&gt; (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L942&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;br/&gt;
Allow clients to not provide certificate. If it does though, validate it.&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;&amp;#45;-sslAllowInvalidCertificates&lt;/tt&gt; (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L956&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt; and &lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L1014&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;br/&gt;
If certificate validation fails by OpenSSL certification checks, still allow it. Also allow invalid hostnames&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;&amp;#45;-sslAllowInvalidHostname&lt;/tt&gt; (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L978-L1023&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;br/&gt;
Allow certificate hostname mismatch to fail (use Subject Alternate Name if exists, otherwise most specific Common Name field in subject).&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;The OpenSSL built-in checks seem light, and the docs say only:&lt;br/&gt;
&quot;The certificate chain is checked starting with the deepest nesting level (the root CA certificate) and worked upward to the peer&apos;s certificate. At each level signatures and issuer attributes are checked. &quot;&lt;/p&gt;

&lt;p&gt;The server does the following checks:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;Certificate expiration (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L725&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;/li&gt;
	&lt;li&gt;CRL check if &lt;tt&gt;&amp;#45;-sslCRLFile&lt;/tt&gt; is provided (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L809&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt; and &lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L641-L645&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;br/&gt;
  Verifies the chain leaf (&lt;a href=&quot;https://www.openssl.org/docs/manmaster/crypto/X509_VERIFY_PARAM_set_flags.html#VERIFICATION-FLAGS&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;NOT entire chain&lt;/a&gt;)&lt;/li&gt;
	&lt;li&gt;Certificate issued by specific, or any of the provided CAs (&lt;a href=&quot;https://github.com/mongodb/mongo/blob/v3.2/src/mongo/util/net/ssl_manager.cpp#L793&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;source&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;It furthermore explicitly disables:&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;SSLv2&lt;/li&gt;
	&lt;li&gt;SSLv3&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;It activates all &quot;bug workaround options&quot; in OpenSSL...&lt;/p&gt;

&lt;p&gt;&lt;br class=&quot;atl-forced-newline&quot; /&gt;&lt;/p&gt;


&lt;p&gt;Currently we only support weak_cert_validation which equals to &lt;tt&gt;&amp;#45;-sslAllowInvalidHostname&lt;/tt&gt;.&lt;br/&gt;
If provided with ca_file, it is used.&lt;br/&gt;
If provided with crl_file, it is used.&lt;/p&gt;</description>
                <environment></environment>
        <key id="267352">CDRIVER-1133</key>
            <summary>Add support for SSL verification options matching the server</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="bjori">Hannes Magnusson</assignee>
                                    <reporter username="bjori">Hannes Magnusson</reporter>
                        <labels>
                            <label>intern2016</label>
                    </labels>
                <created>Tue, 23 Feb 2016 01:26:50 +0000</created>
                <updated>Wed, 10 Aug 2016 22:10:55 +0000</updated>
                            <resolved>Mon, 18 Jul 2016 19:05:05 +0000</resolved>
                                    <version>1.4.0</version>
                                    <fixVersion>1.4.0</fixVersion>
                                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="1324300" author="bjori" created="Thu, 14 Jul 2016 17:49:19 +0000"  >&lt;p&gt;We now support all the above mentioned things expect for &lt;tt&gt;sslDisabledProtocols&lt;/tt&gt; and &lt;tt&gt;sslCipherConfig&lt;/tt&gt; &amp;#8211; which are a bit problematic to implement cross TLS libraries.&lt;br/&gt;
We could do some string parsing on the protocols value and match against known values like &quot;tls1.0&quot;, &quot;ssl3&quot; and then resolve that into however these things are disabled per lib..&lt;br/&gt;
But the cipher config would be crazy messy as their string representation isn&apos;t always available and not something we can match for.&lt;/p&gt;

&lt;p&gt;I&apos;m thinking maybe we should expose the individual &quot;contexts&quot; as callbacks and allow the app to configure it accordingly?&lt;/p&gt;

&lt;p&gt;This would be&lt;/p&gt;
&lt;ul class=&quot;alternate&quot; type=&quot;square&quot;&gt;
	&lt;li&gt;&lt;tt&gt;SSLContextRef&lt;/tt&gt; on &lt;tt&gt;Secure Transport&lt;/tt&gt;&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;SCHANNEL_CRED&lt;/tt&gt; on &lt;tt&gt;Secure Channel&lt;/tt&gt;&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;SSL_CTX *&lt;/tt&gt; on &lt;tt&gt;OpenSSL&lt;/tt&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;That would allow applications to tune these things as they see fit, irregardless of our recommendation. It also allows them to set some configuration values if we are behind on setting them, or only set them in later versions etc etc.&lt;/p&gt;
</comment>
                            <comment id="1296408" author="jesse" created="Thu, 16 Jun 2016 12:36:52 +0000"  >&lt;p&gt;Thanks &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=bjori&quot; class=&quot;user-hover&quot; rel=&quot;bjori&quot;&gt;bjori&lt;/a&gt;. Can you update the description with a specific series of tasks that must be accomplished in order to complete this, please?&lt;/p&gt;</comment>
                            <comment id="1296108" author="bjori" created="Thu, 16 Jun 2016 03:11:15 +0000"  >&lt;p&gt;The description is still fully correct.&lt;br/&gt;
These options need to be implemented in all the tls implementations we support.&lt;/p&gt;

&lt;p&gt;We already support &quot;weak&quot; (e.g. &apos;none&apos;) validation, and hostname. None of the others.&lt;/p&gt;</comment>
                            <comment id="1296048" author="jesse" created="Thu, 16 Jun 2016 00:50:17 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=bjori&quot; class=&quot;user-hover&quot; rel=&quot;bjori&quot;&gt;bjori&lt;/a&gt; I&apos;m left confused by this. Is there a specific task we need to do to close this ticket?&lt;/p&gt;</comment>
                            <comment id="1204485" author="behackett" created="Tue, 15 Mar 2016 21:08:25 +0000"  >&lt;p&gt;Yeah, good point. Well, using CERT_OPTIONAL in python doesn&apos;t hurt anything, it&apos;s just pointless. &lt;img class=&quot;emoticon&quot; src=&quot;https://jira.mongodb.org/images/icons/emoticons/smile.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt;&lt;/p&gt;</comment>
                            <comment id="1204308" author="jesse" created="Tue, 15 Mar 2016 19:09:29 +0000"  >&lt;p&gt;Supporting what Hannes said above, if you try to start mongod without a cert it quits:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;$ mongod --sslOnNormalPorts&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;BadValue need sslPEMKeyFile when SSL is enabled&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;(Tested with 3.2.)&lt;/p&gt;</comment>
                            <comment id="1203239" author="behackett" created="Tue, 15 Mar 2016 00:07:41 +0000"  >&lt;p&gt;That&apos;s interesting. The Python ssl module docs make no distinction.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://docs.python.org/2/library/ssl.html#ssl.CERT_OPTIONAL&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.python.org/2/library/ssl.html#ssl.CERT_OPTIONAL&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;That means our support for this option in PyMongo is completely pointless...&lt;/p&gt;</comment>
                            <comment id="1203223" author="bjori" created="Mon, 14 Mar 2016 23:52:23 +0000"  >&lt;p&gt;Turns out. We don&apos;t need to.&lt;/p&gt;

&lt;p&gt;Since it is a protocol error for the server to not send its certificate this flag is noop in client mode.&lt;br/&gt;
Setting this flag would only affect our internal mock server in server mode.&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;SSL_VERIFY_FAIL_IF_NO_PEER_CERT&lt;br/&gt;
Server mode: if the client did not return a certificate, the TLS/SSL handshake is immediately terminated with a &quot;handshake failure&quot; alert. This flag must be used together with SSL_VERIFY_PEER.&lt;/p&gt;

&lt;p&gt;Client mode: ignored&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;&lt;a href=&quot;https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1203210" author="behackett" created="Mon, 14 Mar 2016 23:35:29 +0000"  >&lt;p&gt;For weak_cert_validation I think you just want SSL_VERIFY_PEER. The default should be SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT.&lt;/p&gt;</comment>
                            <comment id="1203207" author="bjori" created="Mon, 14 Mar 2016 23:32:13 +0000"  >&lt;p&gt;Note: We should probably set SSL_VERIFY_FAIL_IF_NO_PEER_CERT even for the generic weak_cert_validation option?&lt;br/&gt;
Its technically a bc break, but not sending server cert is a tls error soo........&lt;/p&gt;</comment>
                            <comment id="1181355" author="bjori" created="Tue, 23 Feb 2016 01:45:27 +0000"  >&lt;p&gt;We also need to document these. our current &lt;tt&gt;weak_cert_validation&lt;/tt&gt; doesn&apos;t say anything about what validation it weakens.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="229803">CDRIVER-842</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="286766">CDRIVER-1231</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>CDRIVER-1156</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsio33:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>