Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 3.0.5
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:

Hide

Start server with allowInvalidHostnames false.
Create valid certificate from CA.
Try to connect from a different host with the certificate issued.

Show
Start server with allowInvalidHostnames false. Create valid certificate from CA. Try to connect from a different host with the certificate issued.
Sprint:
Security 8 08/28/15
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

With a server configured as below for SSL :

SSL options : 
    ssl:
        mode: requireSSL
        PEMKeyFile: /mongodb/certs/mongodb.pem
        CAFile: /mongodb/certs/ca.cer
        allowConnectionsWithoutCertificates: false
        allowInvalidCertificates: false
        allowInvalidHostnames: false

We are starting mongo client with following command :

mongo --host mongodb.domain.com --ssl --sslCAFile /home/certs/ca.cer --sslPEMKeyFile ./ssl.pem

However, the SSL certificate is for ABC.domain.com which is a valid certificate from the CA, however, we are using that certificate from hostname DEF.domain.com, and the connection is allowed/successful.

I would assume that the option allowInvalidHostnames being false would force a dns lookup on the hostname in the certificate and it should match the IP of the inbound connection, and if not fail the connection.

Assignee:: Andreas Nilsson (Inactive)
Reporter:: Robert Grimball
Participants:: Andreas Nilsson, Robert Grimball
Votes:: 0 Vote for this issue
Watchers:: 5 Start watching this issue

Created:: Aug 24 2015 04:21:26 PM UTC
Updated:: Aug 25 2015 03:43:12 PM UTC
Resolved:: Aug 25 2015 03:43:02 PM UTC

Details

Description

Attachments

Activity

People

Dates