connection: SSL connections doesn't do hostname verification of the server its connecting to #357

skepticfx · 2015-03-09T18:57:31Z

The latest version of Mongoid, doesn't seem to do hostname validation on the SSL connections. This opens the SSL connections to man in the middle attacks, thus making the SSL feature almost futile.

The Ruby driver does this and provides options to do so, by taking the option called ssl_verify and ssl_ca_cert which seems to be completely missing in Mongoid 4.x

Is there any way to get this working and do proper hostname validation of the servers?

The text was updated successfully, but these errors were encountered:

buth · 2015-03-09T19:00:26Z

+1.

skepticfx · 2015-03-09T19:17:15Z

Apparently this commit: dc21475 had the options necessary to do proper hostname validation and for some reason its been removed now.

chrisckchang · 2015-03-16T18:29:20Z

+1

thijsc · 2015-05-01T12:54:01Z

I have a pull request open for this: https:/mongoid/moped/pull/309/files

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

connection: SSL connections doesn't do hostname verification of the server its connecting to #357

connection: SSL connections doesn't do hostname verification of the server its connecting to #357

skepticfx commented Mar 9, 2015

buth commented Mar 9, 2015

skepticfx commented Mar 9, 2015

chrisckchang commented Mar 16, 2015

thijsc commented May 1, 2015

connection: SSL connections doesn't do hostname verification of the server its connecting to #357

connection: SSL connections doesn't do hostname verification of the server its connecting to #357

Comments

skepticfx commented Mar 9, 2015

buth commented Mar 9, 2015

skepticfx commented Mar 9, 2015

chrisckchang commented Mar 16, 2015

thijsc commented May 1, 2015