diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2020-09-08 20:37:41 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-09-30 18:50:27 +0000 |
commit | ae595c7a7845271b88f6969dd2100435cdc760b7 (patch) | |
tree | fd8a82170f7d47b826b739f27f413835c44e24d3 | |
parent | 341d8030731194ba9ed400fe68ab40700922fdc8 (diff) | |
download | mongo-ae595c7a7845271b88f6969dd2100435cdc760b7.tar.gz |
SERVER-50736 Make OpenSSL explicitly accept SNIs
(cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014)
(cherry picked from commit 8351c3e077e7578e7a9a2b20399829df0238cc3f)
(cherry picked from commit 9e252edecf6d934bbce6ae39638fc066f37120e6)
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 67913363c6b..971a45b8654 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -522,6 +522,7 @@ private: * Callbacks for SSL functions. */ static int password_cb(char* buf, int num, int rwflag, void* userdata); + static int servername_cb(SSL* s, int* al, void* arg); static int verify_cb(int ok, X509_STORE_CTX* ctx); }; @@ -718,6 +719,12 @@ int SSLManagerOpenSSL::password_cb(char* buf, int num, int rwflag, void* userdat return copied; } +int SSLManagerOpenSSL::servername_cb(SSL* s, int* al, void* arg) { + // Unconditionally accept the SNI presented by the client. This will ensure that if the client + // later performs session resumption, subsequent connections will still have access to the SNI. + return SSL_TLSEXT_ERR_OK; +} + int SSLManagerOpenSSL::verify_cb(int ok, X509_STORE_CTX* ctx) { return 1; // always succeed; we will catch the error in our get_verify_result() call } @@ -806,6 +813,13 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context, << getSSLErrorMessage(ERR_get_error())); } + // We should accept all SNI extensions advertised by clients + if (1 != SSL_CTX_set_tlsext_servername_callback(context, &SSLManagerOpenSSL::servername_cb)) { + return Status(ErrorCodes::InvalidSSLConfiguration, + str::stream() << "Can not set servername callback: " + << getSSLErrorMessage(ERR_get_error())); + } + if (direction == ConnectionDirection::kOutgoing && params.tlsWithholdClientCertificate) { // Do not send a client certificate if they have been suppressed. |