<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:21:01 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-214] Default to verifying certificates against default CA certificates</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-214</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;p&gt;If the server is using a certificate signed by a CA with well-distributed certs, it ought to be possible to verify the certificate without providing an explicit list of trusted certificates.&lt;/p&gt;

&lt;p&gt;Most languages either distribute their own canonical set of trusted certificates (as in Node.js) or know how to pull them off the OS (as in Python). Drivers should use them if available and no CA certificates have been explicitly passed in as configuration.&lt;/p&gt;</description>
                <environment></environment>
        <key id="192610">DRIVERS-214</key>
            <summary>Default to verifying certificates against default CA certificates</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="4" iconUrl="https://jira.mongodb.org/images/icons/priorities/minor.svg">Minor - P4</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="barrie">Barrie Segal</assignee>
                                    <reporter username="jared">Jared D. Cottrell</reporter>
                        <labels>
                            <label>newdriver</label>
                    </labels>
                <created>Sat, 28 Mar 2015 04:57:31 +0000</created>
                <updated>Mon, 8 Jan 2024 15:30:45 +0000</updated>
                            <resolved>Tue, 15 Nov 2016 21:53:14 +0000</resolved>
                                                                            <votes>0</votes>
                                    <watches>9</watches>
                                                                                                                <comments>
                            <comment id="1435010" author="rathi.gnanasekaran" created="Tue, 15 Nov 2016 21:53:14 +0000"  >&lt;p&gt;All drivers validated. Closing ticket. &lt;/p&gt;</comment>
                            <comment id="872676" author="bjori" created="Fri, 3 Apr 2015 21:47:28 +0000"  >&lt;p&gt;This is a bit complicated in PHP land, depending on PHP versions for example. The current PHP drivers just follows whatever PHP defaults there are.&lt;/p&gt;


&lt;p&gt;As for our new PHP driver, we now do as much as we can out-of-the-box in all PHP versions.&lt;br/&gt;
See commits related to &lt;a href=&quot;https://jira.mongodb.org/browse/PHPC-223&quot; title=&quot;Use explicit SSL options rather then stream context&quot; class=&quot;issue-link&quot; data-issue-key=&quot;PHPC-223&quot;&gt;&lt;del&gt;PHPC-223&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;Note that PHP still needs to be configured properly to be able to use the &quot;default CA certificates&quot; (using the openssl.capath INI option). This should be the case when using distro packages.&lt;/p&gt;</comment>
                            <comment id="868511" author="jared" created="Tue, 31 Mar 2015 00:42:26 +0000"  >&lt;p&gt;Thanks David. Yeah, the revocation story is SSL&apos;s Achilles&apos; heel--there is no perfect answer. Whatever we decide the behavior should be, we should make sure to clearly document it so that users aren&apos;t surprised by it. We should also make it standard across all drivers, at least as much as the underlying languages will reasonably allow.&lt;/p&gt;

&lt;p&gt;I don&apos;t think users expect CRLs to be maintained by the drivers, like Chrome maintains their CRLSet. However, if the default is no CRL and no OCSP check, that means there is no revocation checking going on at all by default, which doesn&apos;t seem right. As flawed as it may be, I lean toward enabling OCSP checks by default.&lt;/p&gt;

&lt;p&gt;I keep going back to the user expecting that when &quot;ssl=true&quot; they get &quot;browser&quot; behavior. Now, as the Chrome blog shows, there is no true standard for SSL across browsers, but they do all do some kind of revocation checking.&lt;/p&gt;

&lt;p&gt;I agree that the user ought to be able to configure different behaviors. I think more sophisticated customers will want to:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;enable checking against a CRL they manage (ideally the file is watched for changes, running driver state updates gracefully)&lt;/li&gt;
	&lt;li&gt;enable/disable OCSP checking&lt;/li&gt;
	&lt;li&gt;change the OCSP failure modes (hard fail, soft fail, maybe a custom callback)&lt;/li&gt;
	&lt;li&gt;allow/require OCSP stapling (not supported by server, I believe, but if it were)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Most of this really belongs in &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-124&quot; title=&quot;Perform SSL server certificate validation in the drivers&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-124&quot;&gt;&lt;del&gt;DRIVERS-124&lt;/del&gt;&lt;/a&gt;; let me know if I should take it there.&lt;/p&gt;</comment>
                            <comment id="867939" author="david.golden" created="Mon, 30 Mar 2015 18:56:47 +0000"  >&lt;p&gt;We need to think carefully about checking revocation because the options for doing so have various problems:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;CRLs are huge and have to be kept up to date somehow &amp;#8211; is that really a driver responsibility?&lt;/li&gt;
	&lt;li&gt;OCSP leads to spurious failures if the CA isn&apos;t reachable and has its own vulnerability problems (see &lt;a href=&quot;https://www.imperialviolet.org/2014/04/19/revchecking.html&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;No, don&apos;t enable revocation checking&lt;/a&gt;)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;We should have a way to let users enable one or both forms of revocation checks, but I don&apos;t think we can pick a default that makes the right tradeoffs for any given user.&lt;/p&gt;</comment>
                            <comment id="867802" author="jared" created="Mon, 30 Mar 2015 17:43:07 +0000"  >&lt;p&gt;That&apos;s right, Bernie. I believe the tests to be performed are covered by &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-124&quot; title=&quot;Perform SSL server certificate validation in the drivers&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-124&quot;&gt;&lt;del&gt;DRIVERS-124&lt;/del&gt;&lt;/a&gt;; specifically:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Certificate chains back to a trusted cert&lt;/li&gt;
	&lt;li&gt;Certificate has not been revoked&lt;/li&gt;
	&lt;li&gt;Server&apos;s hostname matches CN of certificate presented by server&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="867786" author="behackett" created="Mon, 30 Mar 2015 17:34:22 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jared&quot; class=&quot;user-hover&quot; rel=&quot;jared&quot;&gt;jared&lt;/a&gt;, to clarify, the feature request is to automatically verify the server&apos;s certificate when &lt;b&gt;only&lt;/b&gt; &quot;ssl=true&quot; is passed in the URI, correct? This would necessarily require verifying against system CA certificates. &lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                        <issuelink>
            <issuekey id="769085">RUST-154</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="192597">PYTHON-872</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="193565">PYTHON-874</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="192773">RUBY-886</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="283919">DRIVERS-302</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="193723">PHPC-223</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="276020">CDRIVER-1182</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_23952" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Driver Compliance</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[<style type='text/css'>
         #scriptField, #scriptField *{
                border: 1px solid black;
            }

            #scriptField{
                border-collapse: collapse;
            }

            #scriptField td {
                text-align: center; /* Center-align text in table cells */
            }

            #scriptField td.key {
                text-align: left; /* Left-align text in the Key column */
            }

            #scriptField a {
                text-decoration: none; /* Remove underlines from links */
                border: none; /* Remove border from links */
            }
            
            /* Add green background color to cells with FixVersion */
            #scriptField td.hasFixVersion {
                background-color: #00FF00; /* Green color code */
            }

            /* Center-align the first row headers */
            #scriptField th {
                text-align: center;
            }
        </style>
<table id='scriptField'>
  <tr>
    <th>Key</th>
    <th>Status/Resolution</th>
    <th>FixVersion</th>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/PYTHON-872'>PYTHON-872</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>3.0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/RUBY-886'>RUBY-886</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>2.1.0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/PYTHON-874'>PYTHON-874</a>
    </td>
    <td>Done</td>
    <td class='hasFixVersion'>3.0</td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/RUST-154'>RUST-154</a>
    </td>
    <td>Done</td>
    <td class=''></td>
  </tr>
  <tr>
    <td class='key'>
      <a href='https://jira.mongodb.org/browse/SWIFT-464'>SWIFT-464</a>
    </td>
    <td>Works as Designed</td>
    <td class=''></td>
  </tr>
</table>]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hs7klr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>