Details
-
Improvement
-
Resolution: Fixed
-
Major - P3
-
None
-
None
Description
Description
Quoting from a user:
I see, so the issue here was my understanding and documentation. Since my only interaction with MongoDB deployment is doing KMIP setup, I never ventured into the MongoDB client TLS documentation. After looking through the docs, this section from TLS:
The mongo shell verifies that the hostname (specified in --host option or the connection string) matches the SAN (or, if SAN is not present, the CN) in the certificate presented by the mongod or mongos. If SAN is present, mongo does not match against the CN. If the hostname does not match the SAN (or CN), the mongoshell will fail to connect.
Would be amazing to have in the KMIP section. Definitely spent a fair amount of time doing horrible workarounds to have matching CNs because I didn't realize there was SAN support (all errors had indicated CN in my case).
Carry on.
Scope of changes
Impact to Other Docs
MVP (Work and Date)
Resources (Scope or Design Docs, Invision, etc.)
Attachments
Issue Links
- related to
-
SERVER-37296 Did KMIP CN requirement change to SAN?
-
- Closed
-