-
Type:
Improvement
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: None
-
None
Our current TLS abstraction does certificate verification as a completely seperate step after TLS handshake.
This is very risky business and resulted in CDRIVER-1154.
The protocol says you should do the certificate (and therefore hostname!) check during the handshake.
This has the added benefit of failed check will result in an tls alert which mongod will log, over the just random closed connection.
- is depended on by
-
CDRIVER-1155 Use OpenSSLs hostname verification
-
- Closed
-
- is related to
-
CDRIVER-1154 Missing Certificate Verification on reconnect
-
- Closed
-