diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2020-04-10 14:02:35 -0500 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2021-01-12 17:51:11 +0000 |
commit | 425a5ff8f6a4566aa17a2b25875a1cb12037c797 (patch) | |
tree | 550f7841ccbb77b63eef5a5565913c8e2eafa440 | |
parent | d2b91684f767aa151585e7cc79bc35312acc12d7 (diff) | |
download | mongo-425a5ff8f6a4566aa17a2b25875a1cb12037c797.tar.gz |
SERVER-43739 Always send SNI regardless of allowInvalidHost and setup proper policy for validation
(cherry picked from commit ca6f181a96dcb51c159d53062866c31bb62a1b53)
-rw-r--r-- | src/mongo/util/net/ssl/apple.hpp | 1 | ||||
-rw-r--r-- | src/mongo/util/net/ssl/detail/impl/engine_apple.ipp | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 23 |
3 files changed, 20 insertions, 7 deletions
diff --git a/src/mongo/util/net/ssl/apple.hpp b/src/mongo/util/net/ssl/apple.hpp index 5e213380c1b..62784e85ed2 100644 --- a/src/mongo/util/net/ssl/apple.hpp +++ b/src/mongo/util/net/ssl/apple.hpp @@ -91,7 +91,6 @@ struct Context { ::SSLProtocol protoMin = kTLSProtocol1; ::SSLProtocol protoMax = kTLSProtocol12; CFUniquePtr<::CFArrayRef> certs; - bool allowInvalidHostnames = false; }; } // namespace apple diff --git a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp index 154f08707aa..ad285e3d600 100644 --- a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp +++ b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp @@ -129,9 +129,6 @@ engine::engine(context::native_handle_type context, const std::string& remoteHos } _protoMin = context->protoMin; _protoMax = context->protoMax; - if (context->allowInvalidHostnames) { - _remoteHostName.clear(); - } } else { apple::Context def; _protoMin = def.protoMin; diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index 5e7a3933211..ba4309155aa 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1194,6 +1194,23 @@ private: CFUniquePtr<::SSLContextRef> _ssl; }; +CFUniquePtr<::CFArrayRef> CreateSecTrustPolicies(const std::string& remoteHost, + bool allowInvalidCertificates) { + CFUniquePtr<::CFMutableArrayRef> policiesMutable( + ::CFArrayCreateMutable(nullptr, 2, &::kCFTypeArrayCallBacks)); + + // Basic X509 policy. + CFUniquePtr<::SecPolicyRef> cfX509Policy(::SecPolicyCreateBasicX509()); + ::CFArrayAppendValue(policiesMutable.get(), cfX509Policy.get()); + + // Set Revocation policy. + auto policy = ::kSecRevocationNetworkAccessDisabled; + CFUniquePtr<::SecPolicyRef> cfRevPolicy(::SecPolicyCreateRevocation(policy)); + ::CFArrayAppendValue(policiesMutable.get(), cfRevPolicy.get()); + + return CFUniquePtr<::CFArrayRef>(policiesMutable.release()); +} + } // namespace ///////////////////////////////////////////////////////////////////////////// @@ -1340,9 +1357,6 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context, const SSLParams& params, ConnectionDirection direction) { - // Options. - context->allowInvalidHostnames = _allowInvalidHostnames; - // Protocol Version. const auto swProto = parseProtocolRange(params); if (!swProto.isOK()) { @@ -1517,6 +1531,9 @@ StatusWith<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate( ipv6 = true; } + ::SecTrustSetPolicies(cftrust.get(), + CreateSecTrustPolicies(remoteHost, _allowInvalidCertificates).get()); + auto result = ::kSecTrustResultInvalid; uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed); |