-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Server
-
Labels:None
MongoDB Documentation on TLS/SSL Configuration
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
reads :
If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. If the hostname does not match the CN/SAN, mongo will fail to connect.
However, this is somewhat misleading. If one or more SAN entries is present, mongo will ignore the CN completely. I suggest rewording to:
If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. However, if one or more SAN entries exist, then mongo will not check the CN, even if it matches. If the hostname does not match the CN/SAN, mongo will fail to connect.