diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2020-04-10 14:02:35 -0500 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-04-13 21:44:42 +0000 |
commit | ca6f181a96dcb51c159d53062866c31bb62a1b53 (patch) | |
tree | feb45d7a457b17db21be7d38cacef89cb6ae0361 | |
parent | c0c63ceadc49b95470b1dc0f725f0dca91e86200 (diff) | |
download | mongo-ca6f181a96dcb51c159d53062866c31bb62a1b53.tar.gz |
SERVER-43739 Always send SNI regardless of allowInvalidHost and setup proper policy for validation
-rw-r--r-- | src/mongo/util/net/ssl/apple.hpp | 1 | ||||
-rw-r--r-- | src/mongo/util/net/ssl/detail/impl/engine_apple.ipp | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 37 |
3 files changed, 22 insertions, 19 deletions
diff --git a/src/mongo/util/net/ssl/apple.hpp b/src/mongo/util/net/ssl/apple.hpp index 62ac86466bb..c7d28025f1e 100644 --- a/src/mongo/util/net/ssl/apple.hpp +++ b/src/mongo/util/net/ssl/apple.hpp @@ -88,7 +88,6 @@ struct Context { ::SSLProtocol protoMin = kTLSProtocol1; ::SSLProtocol protoMax = kTLSProtocol12; CFUniquePtr<::CFArrayRef> certs; - bool allowInvalidHostnames = false; }; } // namespace apple diff --git a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp index b0d22696a35..c88c0c756f3 100644 --- a/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp +++ b/src/mongo/util/net/ssl/detail/impl/engine_apple.ipp @@ -131,9 +131,6 @@ engine::engine(context::native_handle_type context, const std::string& remoteHos } _protoMin = context->protoMin; _protoMax = context->protoMax; - if (context->allowInvalidHostnames) { - _remoteHostName.clear(); - } } else { apple::Context def; _protoMin = def.protoMin; diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index d2c75beb3f8..31740d4e4a4 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1192,6 +1192,26 @@ private: CFUniquePtr<::SSLContextRef> _ssl; }; +CFUniquePtr<::CFArrayRef> CreateSecTrustPolicies(const std::string& remoteHost, + bool allowInvalidCertificates) { + CFUniquePtr<::CFMutableArrayRef> policiesMutable( + ::CFArrayCreateMutable(nullptr, 2, &::kCFTypeArrayCallBacks)); + + // Basic X509 policy. + CFUniquePtr<::SecPolicyRef> cfX509Policy(::SecPolicyCreateBasicX509()); + ::CFArrayAppendValue(policiesMutable.get(), cfX509Policy.get()); + + // Set Revocation policy. + auto policy = ::kSecRevocationNetworkAccessDisabled; + if (tlsOCSPEnabled && !remoteHost.empty() && !allowInvalidCertificates) { + policy = ::kSecRevocationOCSPMethod; + } + CFUniquePtr<::SecPolicyRef> cfRevPolicy(::SecPolicyCreateRevocation(policy)); + ::CFArrayAppendValue(policiesMutable.get(), cfRevPolicy.get()); + + return CFUniquePtr<::CFArrayRef>(policiesMutable.release()); +} + } // namespace ///////////////////////////////////////////////////////////////////////////// @@ -1341,9 +1361,6 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context, const SSLParams& params, ConnectionDirection direction) { - // Options. - context->allowInvalidHostnames = _allowInvalidHostnames; - // Protocol Version. const auto swProto = parseProtocolRange(params); if (!swProto.isOK()) { @@ -1530,18 +1547,8 @@ Future<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate( ipv6 = true; } - if (tlsOCSPEnabled && !remoteHost.empty() && !_allowInvalidCertificates) { - CFArrayRef policies = nullptr; - ::SecTrustCopyPolicies(cftrust.get(), &policies); - CFUniquePtr<::CFArrayRef> cfpolicies(policies); - - CFUniquePtr<::CFMutableArrayRef> policiesMutable( - ::CFArrayCreateMutableCopy(NULL, 0, policies)); - CFUniquePtr<::SecPolicyRef> cfRevPolicy( - ::SecPolicyCreateRevocation(kSecRevocationOCSPMethod)); - ::CFArrayAppendValue(policiesMutable.get(), cfRevPolicy.get()); - ::SecTrustSetPolicies(cftrust.get(), policiesMutable.get()); - } + ::SecTrustSetPolicies(cftrust.get(), + CreateSecTrustPolicies(remoteHost, _allowInvalidCertificates).get()); auto result = ::kSecTrustResultInvalid; uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed); |