SERVER-13612 Send list of allowed SSL CAs to clients

(cherry picked from commit 1be16d8968c6bf39f01c4b3e98f854571a337823)
author: Andreas Nilsson <andreas.nilsson@10gen.com> 2014-04-17 17:58:05 -0400
committer: Dan Pasette <dan@mongodb.com> 2014-05-24 20:04:08 -0400
commit: 28f06d9343c06e7f2ac46e98bf264f5f9aab8b7f (patch)
tree: 6d379fae29eee0aaeb899b3a7aa0644e35e1e6a9
parent: 213700b3af4d53ce7e808dce2c638d98fc4f91db (diff)
download: mongo-28f06d9343c06e7f2ac46e98bf264f5f9aab8b7f.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index cf904dcceb1..2fc34c164cc 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -634,6 +634,15 @@ namespace mongo {
     }
 
     bool SSLManager::_setupCA(SSL_CTX* context, const std::string& caFile) {
+        // Set the list of CAs sent to clients
+        STACK_OF (X509_NAME) * certNames = SSL_load_client_CA_file(caFile.c_str());
+        if (certNames == NULL) {
+            error() << "cannot read certificate authority file: " << caFile << " " <<
+                getSSLErrorMessage(ERR_get_error()) << endl;
+            return false;
+        }
+        SSL_CTX_set_client_CA_list(context, certNames);
+
         // Load trusted CA
         if (SSL_CTX_load_verify_locations(context, caFile.c_str(), NULL) != 1) {
             error() << "cannot read certificate authority file: " << caFile << " " <<
author	Andreas Nilsson <andreas.nilsson@10gen.com>	2014-04-17 17:58:05 -0400
committer	Dan Pasette <dan@mongodb.com>	2014-05-24 20:04:08 -0400
commit	28f06d9343c06e7f2ac46e98bf264f5f9aab8b7f (patch)
tree	6d379fae29eee0aaeb899b3a7aa0644e35e1e6a9
parent	213700b3af4d53ce7e808dce2c638d98fc4f91db (diff)
download	mongo-28f06d9343c06e7f2ac46e98bf264f5f9aab8b7f.tar.gz