moped icon indicating copy to clipboard operation
moped copied to clipboard
verified publisher icon mongoid

connection: SSL connections doesn't do hostname verification of the server its connecting to

Open skepticfx opened this issue 10 years ago • 4 comments

The latest version of Mongoid, doesn't seem to do hostname validation on the SSL connections. This opens the SSL connections to man in the middle attacks, thus making the SSL feature almost futile.

The Ruby driver does this and provides options to do so, by taking the option called ssl_verify and ssl_ca_cert which seems to be completely missing in Mongoid 4.x

Is there any way to get this working and do proper hostname validation of the servers?

skepticfx avatar Mar 09 '15 18:03 skepticfx

+1.

buth avatar Mar 09 '15 19:03 buth

Apparently this commit: https://github.com/mongoid/moped/commit/dc21475820ff148fb42963752db0bfa6a23f5e1e had the options necessary to do proper hostname validation and for some reason its been removed now.

skepticfx avatar Mar 09 '15 19:03 skepticfx

+1

chrisckchang avatar Mar 16 '15 18:03 chrisckchang

I have a pull request open for this: https://github.com/mongoid/moped/pull/309/files

thijsc avatar May 01 '15 12:05 thijsc