diff options
Diffstat (limited to 'src/mongo/util/net/ssl_manager_windows.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 39 |
1 files changed, 19 insertions, 20 deletions
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 6ae5d567140..bba5b521833 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -272,10 +272,11 @@ public: SSLConnectionInterface* accept(Socket* socket, const char* initialBytes, int len) final; SSLPeerInfo parseAndValidatePeerCertificateDeprecated(const SSLConnectionInterface* conn, - const std::string& remoteHost) final; + const std::string& remoteHost, + const HostAndPort& hostForLogging) final; StatusWith<boost::optional<SSLPeerInfo>> parseAndValidatePeerCertificate( - PCtxtHandle ssl, const std::string& remoteHost) final; + PCtxtHandle ssl, const std::string& remoteHost, const HostAndPort& hostForLogging) final; const SSLConfiguration& getSSLConfiguration() const final { @@ -1482,11 +1483,14 @@ Status SSLManagerWindows::_validateCertificate(PCCERT_CONTEXT cert, } SSLPeerInfo SSLManagerWindows::parseAndValidatePeerCertificateDeprecated( - const SSLConnectionInterface* conn, const std::string& remoteHost) { + const SSLConnectionInterface* conn, + const std::string& remoteHost, + const HostAndPort& hostForLogging) { auto swPeerSubjectName = parseAndValidatePeerCertificate( const_cast<SSLConnectionWindows*>(static_cast<const SSLConnectionWindows*>(conn)) ->_engine.native_handle(), - remoteHost); + remoteHost, + hostForLogging); // We can't use uassertStatusOK here because we need to throw a SocketException. if (!swPeerSubjectName.isOK()) { throwSocketError(SocketErrorKind::CONNECT_ERROR, swPeerSubjectName.getStatus().reason()); @@ -1657,7 +1661,7 @@ Status validatePeerCertificate(const std::string& remoteHost, return Status::OK(); } -Status recordTLSVersion(PCtxtHandle ssl) { +StatusWith<TLSVersion> mapTLSVersion(PCtxtHandle ssl) { SecPkgContext_ConnectionInfo connInfo; SECURITY_STATUS ss = QueryContextAttributes(ssl, SECPKG_ATTR_CONNECTION_INFO, &connInfo); @@ -1668,37 +1672,32 @@ Status recordTLSVersion(PCtxtHandle ssl) { << ss); } - auto& counts = mongo::TLSVersionCounts::get(getGlobalServiceContext()); switch (connInfo.dwProtocol) { case SP_PROT_TLS1_CLIENT: case SP_PROT_TLS1_SERVER: - counts.tls10.addAndFetch(1); - break; + return TLSVersion::kTLS10; case SP_PROT_TLS1_1_CLIENT: case SP_PROT_TLS1_1_SERVER: - counts.tls11.addAndFetch(1); - break; + return TLSVersion::kTLS11; case SP_PROT_TLS1_2_CLIENT: case SP_PROT_TLS1_2_SERVER: - counts.tls12.addAndFetch(1); - break; + return TLSVersion::kTLS12; default: - // Do nothing - break; + return TLSVersion::kUnknown; } - - return Status::OK(); } StatusWith<boost::optional<SSLPeerInfo>> SSLManagerWindows::parseAndValidatePeerCertificate( - PCtxtHandle ssl, const std::string& remoteHost) { + PCtxtHandle ssl, const std::string& remoteHost, const HostAndPort& hostForLogging) { PCCERT_CONTEXT cert; - auto countStatus = recordTLSVersion(ssl); - if (!countStatus.isOK()) { - return countStatus; + auto tlsVersionStatus = mapTLSVersion(ssl); + if (!tlsVersionStatus.isOK()) { + return tlsVersionStatus.getStatus(); } + recordTLSVersion(tlsVersionStatus.getValue(), hostForLogging); + if (!_sslConfiguration.hasCA && isSSLServer) return {boost::none}; |