diff options
author | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2018-07-23 16:40:12 -0400 |
---|---|---|
committer | Mark Benvenuto <mark.benvenuto@mongodb.com> | 2018-07-23 16:40:12 -0400 |
commit | 0c532a429d4e6f1d8473b6b4f04bf21f6b6f76cb (patch) | |
tree | 214cfca89749cd5e236a16a8cc9e028623a08394 /src/mongo/util/net/ssl_manager_windows.cpp | |
parent | d9e4d82eb846637063c32fc8e32b337aff208f33 (diff) | |
download | mongo-0c532a429d4e6f1d8473b6b4f04bf21f6b6f76cb.tar.gz |
SERVER-34558 Add server status for transport security protocol versions
Diffstat (limited to 'src/mongo/util/net/ssl_manager_windows.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 44 |
1 files changed, 41 insertions, 3 deletions
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index fd159c7c7e3..c5dcc4c865e 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -436,7 +436,7 @@ StatusWith<UniqueCertChainEngine> initChainEngine(CERT_CHAIN_ENGINE_CONFIG* chai << errnoWithDescription(gle)); } - return chainEngine; + return {chainEngine}; } Status SSLManagerWindows::_initChainEngines(bool hasCAFile) { @@ -873,8 +873,7 @@ StatusWith<UniqueCertificateWithPrivateKey> readCertPEMFile(StringData fileName, << errnoWithDescription(gle)); } - return std::move( - UniqueCertificateWithPrivateKey(std::move(certHolder), std::move(cryptProvider))); + return UniqueCertificateWithPrivateKey(std::move(certHolder), std::move(cryptProvider)); } Status readCAPEMFile(HCERTSTORE certStore, StringData fileName) { @@ -1633,9 +1632,48 @@ Status validatePeerCertificate(const std::string& remoteHost, return Status::OK(); } +Status recordTLSVersion(PCtxtHandle ssl) { + SecPkgContext_ConnectionInfo connInfo; + + SECURITY_STATUS ss = QueryContextAttributes(ssl, SECPKG_ATTR_CONNECTION_INFO, &connInfo); + + if (ss != SEC_E_OK) { + return Status(ErrorCodes::SSLHandshakeFailed, + str::stream() << "QueryContextAttributes for connection info failed with" + << ss); + } + + auto& counts = mongo::TLSVersionCounts::get(getGlobalServiceContext()); + switch (connInfo.dwProtocol) { + case SP_PROT_TLS1_CLIENT: + case SP_PROT_TLS1_SERVER: + counts.tls10.addAndFetch(1); + break; + case SP_PROT_TLS1_1_CLIENT: + case SP_PROT_TLS1_1_SERVER: + counts.tls11.addAndFetch(1); + break; + case SP_PROT_TLS1_2_CLIENT: + case SP_PROT_TLS1_2_SERVER: + counts.tls12.addAndFetch(1); + break; + default: + // Do nothing + break; + } + + return Status::OK(); +} + StatusWith<boost::optional<SSLPeerInfo>> SSLManagerWindows::parseAndValidatePeerCertificate( PCtxtHandle ssl, const std::string& remoteHost) { PCCERT_CONTEXT cert; + + auto countStatus = recordTLSVersion(ssl); + if (!countStatus.isOK()) { + return countStatus; + } + if (!_sslConfiguration.hasCA && isSSLServer) return {boost::none}; |