Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
None
Description
MongoDB Documentation on TLS/SSL Configuration
https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/
reads :
If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. If the hostname does not match the CN/SAN, mongo will fail to connect.
However, this is somewhat misleading. If one or more SAN entries is present, mongo will ignore the CN completely. I suggest rewording to:
If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. However, if one or more SAN entries exist, then mongo will not check the CN, even if it matches. If the hostname does not match the CN/SAN, mongo will fail to connect.