diff options
| author | Shreyas Kalyan <shreyas.kalyan@10gen.com> | 2020-03-04 10:49:39 -0500 |
|---|---|---|
| committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-03-25 21:03:48 +0000 |
| commit | 7eab469f87e860ce9e74918fdd5a23e943eb2673 (patch) | |
| tree | 4eca95950e5c8f54283a14548ffc0e98b2bc5bdd /src/mongo/util | |
| parent | 93fe9010473c7d8173f8ea323fdff35a21495a8c (diff) | |
| download | mongo-7eab469f87e860ce9e74918fdd5a23e943eb2673.tar.gz | |
SERVER-46413 Add tests for OCSP on Windows and OSX
Diffstat (limited to 'src/mongo/util')
| -rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 18 |
2 files changed, 9 insertions, 11 deletions
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index f052a465c62..d2c75beb3f8 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1530,7 +1530,7 @@ Future<SSLPeerInfo> SSLManagerApple::parseAndValidatePeerCertificate( ipv6 = true; } - if (tlsOCSPEnabled && !remoteHost.empty()) { + if (tlsOCSPEnabled && !remoteHost.empty() && !_allowInvalidCertificates) { CFArrayRef policies = nullptr; ::SecTrustCopyPolicies(cftrust.get(), &policies); CFUniquePtr<::CFArrayRef> cfpolicies(policies); diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index bbeb4c33595..6ab4fc2d485 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -520,9 +520,8 @@ int SSLManagerWindows::SSL_read(SSLConnectionInterface* connInterface, void* buf } default: LOGV2_FATAL(23282, - "Unexpected ASIO state: {state}", - "Unexpected ASIO state", - "state"_attr = static_cast<int>(want)); + "Unexpected ASIO state: {static_cast_int_want}", + "static_cast_int_want"_attr = static_cast<int>(want)); MONGO_UNREACHABLE; } } @@ -1359,9 +1358,9 @@ Status SSLManagerWindows::initSSLContext(SCHANNEL_CRED* cred, cred->dwFlags = cred->dwFlags // flags | SCH_CRED_REVOCATION_CHECK_CHAIN // Check certificate revocation | SCH_CRED_SNI_CREDENTIAL // Pass along SNI creds - | SCH_CRED_SNI_ENABLE_OCSP // Enable OCSP | SCH_CRED_NO_SYSTEM_MAPPER // Do not map certificate to user account | SCH_CRED_DISABLE_RECONNECTS; // Do not support reconnects + } else { supportedProtocols = SP_PROT_TLS1_CLIENT | SP_PROT_TLS1_0_CLIENT | SP_PROT_TLS1_1_CLIENT | SP_PROT_TLS1_2_CLIENT; @@ -1371,8 +1370,8 @@ Status SSLManagerWindows::initSSLContext(SCHANNEL_CRED* cred, | SCH_CRED_REVOCATION_CHECK_CHAIN // Check certificate revocation | SCH_CRED_NO_SERVERNAME_CHECK // Do not validate server name against cert | SCH_CRED_NO_DEFAULT_CREDS // No Default Certificate - | SCH_CRED_MEMORY_STORE_CERT // Read intermediate certificates from memory store - // associated with client certificate. + | SCH_CRED_MEMORY_STORE_CERT // Read intermediate certificates from memory + // store associated with client certificate. | SCH_CRED_MANUAL_CRED_VALIDATION; // Validate Certificate Manually } @@ -1929,9 +1928,9 @@ Future<SSLPeerInfo> SSLManagerWindows::parseAndValidatePeerCertificate( } return SSLPeerInfo(sni); } else { - LOGV2_ERROR(23280, "no SSL certificate provided by peer; connection rejected"); - return Status(ErrorCodes::SSLHandshakeFailed, - "no SSL certificate provided by peer; connection rejected"); + auto msg = "no SSL certificate provided by peer; connection rejected"; + LOGV2_ERROR(23280, "{msg}", "msg"_attr = msg); + return Status(ErrorCodes::SSLHandshakeFailed, msg); } } @@ -1975,7 +1974,6 @@ Future<SSLPeerInfo> SSLManagerWindows::parseAndValidatePeerCertificate( LOGV2_DEBUG(23270, 2, "Accepted TLS connection from peer: {peerSubjectName}", - "Accepted TLS connection from peer", "peerSubjectName"_attr = peerSubjectName); // If this is a server and client and server certificate are the same, log a warning. |