Open skepticfx opened 9 years ago
+1.
Apparently this commit: https://github.com/mongoid/moped/commit/dc21475820ff148fb42963752db0bfa6a23f5e1e had the options necessary to do proper hostname validation and for some reason its been removed now.
+1
I have a pull request open for this: https://github.com/mongoid/moped/pull/309/files
The latest version of Mongoid, doesn't seem to do hostname validation on the SSL connections. This opens the SSL connections to man in the middle attacks, thus making the SSL feature almost futile.
The Ruby driver does this and provides options to do so, by taking the option called
ssl_verify
andssl_ca_cert
which seems to be completely missing in Mongoid 4.xIs there any way to get this working and do proper hostname validation of the servers?