Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-9725

SAN / CN usage in `mongo` ssl validation

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • Server_Docs_20231030
    • Affects Version/s: None
    • Component/s: Server
    • Labels:
      None

      MongoDB Documentation on TLS/SSL Configuration

      https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/

      reads :

      If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. If the hostname does not match the CN/SAN, mongo will fail to connect.

      However, this is somewhat misleading. If one or more SAN entries is present, mongo will ignore the CN completely. I suggest rewording to:

      If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. However, if one or more SAN entries exist, then mongo will not check the CN, even if it matches. If the hostname does not match the CN/SAN, mongo will fail to connect.

            Assignee:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Reporter:
            rahul.dhodapkar Rahul Dhodapkar
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved:
              5 years, 37 weeks, 2 days ago