Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20093

allowInvalidHostnames doesn't fail when valid cert but hostname doesn't match

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • 3.0.5
    • Security
    • None
    • Fully Compatible
    • ALL
    • Hide

      Start server with allowInvalidHostnames false.
      Create valid certificate from CA.
      Try to connect from a different host with the certificate issued.

      Show
      Start server with allowInvalidHostnames false. Create valid certificate from CA. Try to connect from a different host with the certificate issued.
    • Security 8 08/28/15

    Description

      With a server configured as below for SSL :

      SSL options : 
          ssl:
              mode: requireSSL
              PEMKeyFile: /mongodb/certs/mongodb.pem
              CAFile: /mongodb/certs/ca.cer
              allowConnectionsWithoutCertificates: false
              allowInvalidCertificates: false
              allowInvalidHostnames: false
      

      We are starting mongo client with following command :

      mongo --host mongodb.domain.com --ssl --sslCAFile /home/certs/ca.cer --sslPEMKeyFile ./ssl.pem
      

      However, the SSL certificate is for ABC.domain.com which is a valid certificate from the CA, however, we are using that certificate from hostname DEF.domain.com, and the connection is allowed/successful.

      I would assume that the option allowInvalidHostnames being false would force a dns lookup on the hostname in the certificate and it should match the IP of the inbound connection, and if not fail the connection.

      Attachments

        Activity

          People

            andreas.nilsson Andreas Nilsson
            rgrimball Robert Grimball
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: