Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-95445

SSLManagerOpenSSL should validate entire cert chain against CRL, not just the leaf

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 5.0 Required, 8.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • Server Security
    • Fully Compatible
    • v8.0, v7.0, v6.0, v5.0
    • Security 2024-10-14, Security 2024-10-28, Security 2024-11-11

      When setting up CRLs, SSLManagerOpenSSL only sets the X509_V_FLAG_CRL_CHECK flag,  which only "enables CRL checking for the certificate chain leaf certificate" (source).

      Consequently, peer certificate chains containing intermediate issuers that were revoked may still succeed in establishing SSL connection. We should add the X509_V_FLAG_CRL_CHECK_ALL flag to enable CRL checking for the entire certificate chain.

            Assignee:
            erwin.pe@mongodb.com Erwin Pe
            Reporter:
            erwin.pe@mongodb.com Erwin Pe
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: