Skip to content
This repository has been archived by the owner on Jan 15, 2024. It is now read-only.

connection: SSL connections doesn't do hostname verification of the server its connecting to #357

Open
skepticfx opened this issue Mar 9, 2015 · 4 comments
Open

connection: SSL connections doesn't do hostname verification of the server its connecting to #357

skepticfx opened this issue Mar 9, 2015 · 4 comments

Comments

@skepticfx
Copy link

The latest version of Mongoid, doesn't seem to do hostname validation on the SSL connections. This opens the SSL connections to man in the middle attacks, thus making the SSL feature almost futile.

The Ruby driver does this and provides options to do so, by taking the option called ssl_verify and ssl_ca_cert which seems to be completely missing in Mongoid 4.x

Is there any way to get this working and do proper hostname validation of the servers?
@buth
Copy link

buth commented Mar 9, 2015

+1.

@skepticfx
Copy link
Author

Apparently this commit: dc21475 had the options necessary to do proper hostname validation and for some reason its been removed now.

@chrisckchang
Copy link

+1

@thijsc
Copy link
Contributor

thijsc commented May 1, 2015

I have a pull request open for this: https://github.com/mongoid/moped/pull/309/files

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@thijsc @skepticfx @buth @chrisckchang