Feature Request: Validation of Public and Internally-Issued CA Certificates
Connections from Coveo’s indexing service to public or internal data sources should be done over fully validated TLS connections, checking the data source certificate for: time validity, that it was issued by a CA that chains up to something the indexers trust, not revoked (via CRL/OCSP), and issued for the hostname of the data source. In connecting to customer data sources that are not protected by a publicly trusted CA certificate, the indexing process should throw a user-visible exception that it was unable to securely establish a connection. The customer then would be able to, on a per application/data source basis, reconfigure the connection properties such that these exceptions are:
Posting the root CA certificate for a given data source should only apply to that application or customer instance, and should not be usable for other customer’s data source certificate validation..
|I need it...||Yesterday (let's go already)|