diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2018-08-30 16:02:21 +0000 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-08-30 19:57:56 +0000 |
commit | 52ddf6e1c9218d6e4eb418106383b35bf7bbe992 (patch) | |
tree | 4c0c80e43238ed0288477f6bec1d4ab6ea193a7a | |
parent | a651f84ad5c9d91b2b8b6c5704d07efe9c97c94a (diff) | |
download | mongo-52ddf6e1c9218d6e4eb418106383b35bf7bbe992.tar.gz |
SERVER-36942 Differentiate invalid hostname from invalid certificate
-rw-r--r-- | src/mongo/util/net/ssl/apple.hpp | 1 | ||||
-rw-r--r-- | src/mongo/util/net/ssl/detail/impl/engine_apple.ipp | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 7 |
3 files changed, 8 insertions, 3 deletions
diff --git a/src/mongo/util/net/ssl/apple.hpp b/src/mongo/util/net/ssl/apple.hpp index 7a8a577d5fe..3b7526eabe1 100644 --- a/src/mongo/util/net/ssl/apple.hpp +++ b/src/mongo/util/net/ssl/apple.hpp @@ -89,6 +89,7 @@ struct Context { ::SSLProtocol protoMin = kTLSProtocol1; ::SSLProtocol protoMax = kTLSProtocol12; CFUniquePtr<::CFArrayRef> certs; + bool allowInvalidHostnames = false; }; } // namespace apple diff --git a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp index 319061d0aae..7292439779e 100644 --- a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp +++ b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp @@ -124,6 +124,9 @@ engine::engine(context::native_handle_type context, const std::string& remoteHos } _protoMin = context->protoMin; _protoMax = context->protoMax; + if (context->allowInvalidHostnames) { + _remoteHostName.clear(); + } } else { apple::Context def; _protoMin = def.protoMin; diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index 6191b201cf6..885052d8537 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1197,6 +1197,9 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context, const SSLParams& params, ConnectionDirection direction) { + // Options. + context->allowInvalidHostnames = _allowInvalidHostnames; + // Protocol Version. const auto swProto = parseProtocolRange(params); if (!swProto.isOK()) { @@ -1367,9 +1370,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe auto result = ::kSecTrustResultInvalid; uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed); if ((result != ::kSecTrustResultProceed) && (result != ::kSecTrustResultUnspecified)) { - const bool proceed = _allowInvalidCertificates || - (_allowInvalidHostnames && (result == ::kSecTrustResultRecoverableTrustFailure)); - return badCert(explainTrustFailure(cftrust.get(), result), proceed); + return badCert(explainTrustFailure(cftrust.get(), result), _allowInvalidCertificates); } auto cert = ::SecTrustGetCertificateAtIndex(cftrust.get(), 0); |