-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Minor - P4
-
None
-
Affects Version/s: None
-
Component/s: None
-
Labels:None
Summary
Hostname checking for the commonName of an x509 peer certificate does not does not work on newer versions of macOS.
Environment
C driver 1.20.0.
macOS 11.6.1.
Apple clang version 13.0.0 (clang-1300.0.29.30). Target: x86_64-apple-darwin20.6.0
How to Reproduce
Enable and run the mock server test /TLS/commonName:
$ ./cmake-build/src/libmongoc/test-libmongoc -d --no-fork --match "/TLS/commonName"
Begin /TLS/commonName, seed 2344072251
2021/12/29 15:35:08.0787: [17623431]: ERROR: mongoc: ERRORED (line: 242): TLS handshake failed (Certificate trust failure: Host name mismatch)
2021/12/29 15:35:08.0788: [17623430]: ERROR: mongoc: ERRORED (line: 111): TLS handshake failed: connection closed gracefully (-9805)
FAIL
Assert Failure: 3 == 1
/Users/kevin.albertson/code/mongo-c-driver-4240/src/libmongoc/tests/test-mongoc-stream-tls.c:297 test_mongoc_tls_common_name()
Additional Background
The test asserts that a client is able to match the hostname "commonName.mongodb.org" to the certificate src/libmongoc/tests/x509gen/commonName.pem.
The certificate contains "commonName.mongodb.org" as a Subject CommonName (CN).
$ openssl x509 -text -noout -in ./src/libmongoc/tests/x509gen/commonName.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 496961 (0x79541)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Drivers Testing CA, OU=Drivers, O=MongoDB, L=New York City, ST=New York, C=US
Validity
Not Before: May 22 21:05:15 2019 GMT
Not After : May 22 21:05:15 2039 GMT
Subject: CN=commonName.mongodb.org, OU=Drivers, O=MongoDB, L=New York City, ST=New York, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ad:2f:78:56:7a:71:f8:2f:8b:c2:20:88:c9:f6:
47:e3:9b:b0:0d:b8:84:a8:22:ab:d2:17:d6:3d:59:
49:76:83:90:81:a0:ce:6a:ff:67:6f:14:6f:c7:e0:
a7:b2:26:75:c8:4e:8a:8f:53:58:21:7d:c5:a8:ec:
ce:f5:88:b3:c0:ab:4f:6b:10:aa:14:c8:c3:ce:5d:
47:64:22:7c:2d:36:59:cc:c8:9c:d3:52:b7:f3:01:
9f:69:cb:01:c2:7a:3f:b0:d6:67:f6:38:27:4f:ef:
49:39:ab:03:eb:ce:78:20:0b:39:4f:b7:51:08:51:
ff:9f:15:7e:46:e6:78:b9:e4:d6:21:c7:c7:8d:7c:
c0:66:ff:7e:c2:db:b4:b1:59:90:28:75:74:27:74:
ba:65:d3:ea:a8:36:98:45:d8:4e:0b:24:a1:05:33:
b8:45:b5:16:d6:6c:88:8e:8a:08:aa:ac:bf:c5:c7:
95:4e:65:c6:5b:27:2a:66:3c:83:0e:ba:27:4f:59:
23:ff:2c:7a:ce:7a:ae:74:e7:83:ce:3d:4f:68:47:
67:b2:a7:57:c5:09:48:ec:c5:5d:45:fd:e7:5d:d0:
d7:4e:9c:39:80:f8:6a:c6:a6:1c:e3:bb:cb:e9:1b:
cc:c6:a8:9e:7f:40:49:9e:57:3a:3e:86:56:a3:24:
d1:3f
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
37:e0:35:0c:7f:1d:18:6b:1b:17:9c:d9:42:99:b9:27:73:08:
1b:eb:d5:5f:c1:64:ea:b4:e3:76:31:a6:ce:97:0f:5f:43:46:
79:62:5c:1d:b8:14:83:0f:19:11:a2:c5:54:45:da:95:f8:47:
06:c5:e8:ba:a2:99:cf:91:da:09:fb:59:a4:08:3a:37:eb:4a:
be:47:f6:c9:50:5a:a3:8f:b7:63:07:b1:82:c3:02:bf:12:e7:
78:26:39:ff:fd:e2:c1:0a:15:3e:0e:54:e3:3b:5c:8b:f2:16:
84:41:1e:f4:2f:25:73:df:bb:21:db:ca:08:46:aa:13:4b:73:
64:d9:26:60:ec:69:e8:af:5a:87:c1:de:a3:3a:58:da:33:55:
a2:4c:97:ea:e9:70:92:67:df:f7:0b:92:31:d1:5a:fb:c5:96:
8f:f4:39:f9:96:04:3c:e9:db:ba:37:ab:66:68:aa:95:a1:b0:
b0:de:f8:c8:4e:69:eb:79:94:c2:ed:d2:94:e3:f3:b9:d9:de:
a5:1d:9d:6f:bf:c1:b2:be:aa:d1:09:e8:a8:95:35:73:85:6e:
3b:1a:f3:bf:9f:eb:27:0b:43:4c:91:7b:e8:a3:b4:73:bf:54:
bf:17:11:ef:96:18:87:e7:00:9b:68:69:c1:c7:8b:85:e7:f6:
e8:79:d5:7e