Skip to content

Commit 52ddf6e

Browse files
sgolemon-corpsgolemon-corp
committed
SERVER-36942 Differentiate invalid hostname from invalid certificate
1 parent a651f84 commit 52ddf6e

File tree

3 files changed

+8
-3
lines changed

3 files changed

+8
-3
lines changed

src/mongo/util/net/ssl/apple.hpp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -89,6 +89,7 @@ struct Context {
8989
::SSLProtocol protoMin = kTLSProtocol1;
9090
::SSLProtocol protoMax = kTLSProtocol12;
9191
CFUniquePtr<::CFArrayRef> certs;
92+
bool allowInvalidHostnames = false;
9293
};
9394

9495
} // namespace apple

src/mongo/util/net/ssl/detail/impl/engine_apple.ipp

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -124,6 +124,9 @@ engine::engine(context::native_handle_type context, const std::string& remoteHos
124124
}
125125
_protoMin = context->protoMin;
126126
_protoMax = context->protoMax;
127+
if (context->allowInvalidHostnames) {
128+
_remoteHostName.clear();
129+
}
127130
} else {
128131
apple::Context def;
129132
_protoMin = def.protoMin;

src/mongo/util/net/ssl_manager_apple.cpp

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1197,6 +1197,9 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL
11971197
Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context,
11981198
const SSLParams& params,
11991199
ConnectionDirection direction) {
1200+
// Options.
1201+
context->allowInvalidHostnames = _allowInvalidHostnames;
1202+
12001203
// Protocol Version.
12011204
const auto swProto = parseProtocolRange(params);
12021205
if (!swProto.isOK()) {
@@ -1367,9 +1370,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
13671370
auto result = ::kSecTrustResultInvalid;
13681371
uassertOSStatusOK(::SecTrustEvaluate(cftrust.get(), &result), ErrorCodes::SSLHandshakeFailed);
13691372
if ((result != ::kSecTrustResultProceed) && (result != ::kSecTrustResultUnspecified)) {
1370-
const bool proceed = _allowInvalidCertificates ||
1371-
(_allowInvalidHostnames && (result == ::kSecTrustResultRecoverableTrustFailure));
1372-
return badCert(explainTrustFailure(cftrust.get(), result), proceed);
1373+
return badCert(explainTrustFailure(cftrust.get(), result), _allowInvalidCertificates);
13731374
}
13741375

13751376
auto cert = ::SecTrustGetCertificateAtIndex(cftrust.get(), 0);

0 commit comments

Comments
 (0)