Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-14861

SSL hostname matching does not strictly follow RFC 2818

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.7.7
    • Component/s: Security
    • Labels:
      None
    • Operating System:
      ALL

      Description

      This came up in connection to SERVER-14516. If both a subject and subject alternative names exist the server will match against both. RFC 2818 requires the subject be ignored if subjectAltNames exist.

      From section 3.1 in http://tools.ietf.org/html/rfc2818.html:

      If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

      The test certs created for SERVER-14516 will have to be regenerated to include 'server' as a subjectAltName.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              amalia.hawkins@10gen.com Amalia Hawkins
              Reporter:
              behackett Bernie Hackett
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: