Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43739

SNI name is not set on OSX if allowInvalidHostnames is enabled

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.4.0-rc2, 4.7.0, 4.2.12
    • Affects Version/s: None
    • Component/s: None
    • None
    • Minor Change
    • ALL
    • v4.4, v4.2
    • Hide
      ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem --tlsAllowInvalidHostnames local.10gen.cc
      

      ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem local.10gen.cc
      

      Show
      ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem --tlsAllowInvalidHostnames local.10gen.cc ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem local.10gen.cc
    • Security 2020-04-06, Security 2020-04-20

      Because of the way Apple's TLS library works, we have no direct way of manually setting or disabling the TLS SNI extension separately from the PeerDomainName in our usage of SSLSetPeerDomainName.

      Because of this, Apple's TLS library will naively advertise an IP address as an SNI name if it is provided as the PeerDomainName. This is against the TLS spec per RFC 6066, Section 3. We removed the advertisement of IP addresses in the SNI extension in SERVER-42287 and SERVER-43234.

      However, when allowInvalidHostnames is enabled, the PeerDomainName is cleared, and SNI is not advertised, which causes test failure and potentially confusion for anything that needs to use the SNI for whatever reason.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: