summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorSpencer Jackson <spencer.jackson@mongodb.com>2020-09-08 20:37:41 +0000
committerEvergreen Agent <no-reply@evergreen.mongodb.com>2020-10-14 21:36:07 +0000
commitd881b2b32dda7389e99efd40e4a96e34de082281 (patch)
treeda5f84524af61dd43fcfd0cbc44cb98b9eb3ca2d /src
parent8ec2a851c8fb250ad69f020313633b0cf68346e4 (diff)
downloadmongo-d881b2b32dda7389e99efd40e4a96e34de082281.tar.gz
SERVER-50736 Make OpenSSL explicitly accept SNIs
(cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014) (cherry picked from commit 8351c3e077e7578e7a9a2b20399829df0238cc3f) (cherry picked from commit 9e252edecf6d934bbce6ae39638fc066f37120e6) (cherry picked from commit ae595c7a7845271b88f6969dd2100435cdc760b7)
Diffstat (limited to 'src')
-rw-r--r--src/mongo/util/net/ssl_manager.cpp14
1 files changed, 14 insertions, 0 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index e28a1355ebb..2810284e75e 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -582,6 +582,7 @@ private:
* Callbacks for SSL functions.
*/
static int password_cb(char* buf, int num, int rwflag, void* userdata);
+ static int servername_cb(SSL* s, int* al, void* arg);
static int verify_cb(int ok, X509_STORE_CTX* ctx);
};
@@ -946,6 +947,12 @@ int SSLManager::password_cb(char* buf, int num, int rwflag, void* userdata) {
return copied;
}
+int SSLManager::servername_cb(SSL* s, int* al, void* arg) {
+ // Unconditionally accept the SNI presented by the client. This will ensure that if the client
+ // later performs session resumption, subsequent connections will still have access to the SNI.
+ return SSL_TLSEXT_ERR_OK;
+}
+
int SSLManager::verify_cb(int ok, X509_STORE_CTX* ctx) {
return 1; // always succeed; we will catch the error in our get_verify_result() call
}
@@ -1047,6 +1054,13 @@ Status SSLManager::initSSLContext(SSL_CTX* context,
<< getSSLErrorMessage(ERR_get_error()));
}
+ // We should accept all SNI extensions advertised by clients
+ if (1 != SSL_CTX_set_tlsext_servername_callback(context, &SSLManager::servername_cb)) {
+ return Status(ErrorCodes::InvalidSSLConfiguration,
+ str::stream() << "Can not set servername callback: "
+ << getSSLErrorMessage(ERR_get_error()));
+ }
+
if (direction == ConnectionDirection::kOutgoing && params.tlsWithholdClientCertificate) {
// Do not send a client certificate if they have been suppressed.