[SERVER-13945] Match x.509 cluster certificates per attribute instead of substring comparison - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 2.6.1
Fix Version/s: 2.6.2, 2.7.1
Component/s: Security
Labels:
None

Backport Completed:

2.6.2

Description

We currently assume certificate subject distinguished names are on the form:

CN=andreas.my, OU=Developers, O=MongoDB C=US

and use a simple substring comparison to determine if the organizational part of the DN is matching. To make the comparison more resilient we should instead parse the DN and match the relevant attributes O, OU, DC that together makes up the cluster id.

Originally we wanted to match C but that might possibly break geo-clusters.

Attachments

Issue Links

related to

DOCS-3463 2.6.2 - update x509 cluster certificate requirements

Closed

Activity

People

Assignee:: Andreas Nilsson

Reporter:: Andreas Nilsson

Participants:: Andreas Nilsson, Githook User

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: May 14 2014 02:20:48 PM UTC

Updated:: Mar 11 2015 04:52:41 PM UTC

Resolved:: May 22 2014 05:26:40 PM UTC