Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.1.4
Affects Version/s: None
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.0
Sprint:
Security 2018-09-10, Security 2018-09-24, Security 2018-10-08, Security 2018-10-22
Case:

We currently only consider "DNS Name" SANs (Subject Alternate Name) on clients when comparing the intended hostname with the one actually presented.

OpenSSL: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_openssl.cpp#L1364
SecureTransport: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_apple.cpp#L489

These name comparators should attempt to match IP address as well.

Case : If there is an IP address in the SAN field that is flagged with DNS Name instead of IP Address, then allow it and compare as an IP address, but flag the user with a warning upon startup of the console.

has to be done before

SERVER-36669 IP address hostnames are matched against DNS subjectAltNames

Backlog

is duplicated by

SERVER-24591 Support hostname validation with IP addresses in SAN

Closed

is related to

SERVER-24591 Support hostname validation with IP addresses in SAN

Closed

Assignee:: Shreyas Kalyan

Reporter:: Sara Golemon

Participants:: Githook User, Sara Golemon, Shreyas Kalyan

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: Aug 27 2018 09:08:42 PM UTC

Updated:: Oct 29 2023 10:28:36 PM UTC

Resolved:: Oct 08 2018 10:58:22 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates