connection: SSL connections doesn't do hostname verification of the server its connecting to

mongoid / moped

A MongoDB driver for Ruby

https://mongoid.github.io/old/en/moped/

MIT License

201 stars 153 forks source link

connection: SSL connections doesn't do hostname verification of the server its connecting to #357

Open skepticfx opened 9 years ago

skepticfx commented 9 years ago

The latest version of Mongoid, doesn't seem to do hostname validation on the SSL connections. This opens the SSL connections to man in the middle attacks, thus making the SSL feature almost futile.

The Ruby driver does this and provides options to do so, by taking the option called ssl_verify and ssl_ca_cert which seems to be completely missing in Mongoid 4.x

Is there any way to get this working and do proper hostname validation of the servers?

buth commented 9 years ago

+1.

skepticfx commented 9 years ago

Apparently this commit: https://github.com/mongoid/moped/commit/dc21475820ff148fb42963752db0bfa6a23f5e1e had the options necessary to do proper hostname validation and for some reason its been removed now.

chrisckchang commented 9 years ago

thijsc commented 9 years ago

I have a pull request open for this: https://github.com/mongoid/moped/pull/309/files