Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-12126

Docs for SERVER-36895: Test for SAN type "IP Address" in OpenSSL/SecureTransport TLS providers

XMLWordPrintableJSON

      Description

      Description:

      Update certificate parsing to allow IP Address tags in the Subject Alternate Names extension.

      Engineering Ticket Description:

      We currently only consider "DNS Name" SANs (Subject Alternate Name) on clients when comparing the intended hostname with the one actually presented.

      OpenSSL: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_openssl.cpp#L1364
      SecureTransport: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_apple.cpp#L489

      These name comparators should attempt to match IP address as well.

      Case : If there is an IP address in the SAN field that is flagged with DNS Name instead of IP Address, then allow it and compare as an IP address, but flag the user with a warning upon startup of the console. 

      Scope of changes

      Impact to Other Docs

      MVP (Work and Date)

      Resources (Scope or Design Docs, Invision, etc.)

            Assignee:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Reporter:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:
              4 years, 39 weeks, 3 days ago