Details
-
Bug
-
Resolution: Done
-
Major - P3
-
None
-
3.0.5
-
None
-
Fully Compatible
-
ALL
-
-
Security 8 08/28/15
Description
With a server configured as below for SSL :
SSL options :
|
ssl:
|
mode: requireSSL
|
PEMKeyFile: /mongodb/certs/mongodb.pem
|
CAFile: /mongodb/certs/ca.cer
|
allowConnectionsWithoutCertificates: false
|
allowInvalidCertificates: false
|
allowInvalidHostnames: false
|
We are starting mongo client with following command :
mongo --host mongodb.domain.com --ssl --sslCAFile /home/certs/ca.cer --sslPEMKeyFile ./ssl.pem
|
However, the SSL certificate is for ABC.domain.com which is a valid certificate from the CA, however, we are using that certificate from hostname DEF.domain.com, and the connection is allowed/successful.
I would assume that the option allowInvalidHostnames being false would force a dns lookup on the hostname in the certificate and it should match the IP of the inbound connection, and if not fail the connection.