Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-36669

IP address hostnames are matched against DNS subjectAltNames



    • Type: Improvement
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: 4.0.1
    • Fix Version/s: Backlog
    • Component/s: Shell
    • Case:


      In PYTHON-1627, David Cossey reports that his server that was misconfigured with a DNS subjectAltName of '':

      $ openssl x509 -text -noout -in ./mongodb.pem
        X509v3 extensions:
                  X509v3 Subject Alternative Name:
                      DNS:<server1>, DNS:<*.server_domain.com>, DNS:

      However the mongo shell can still connect:

      $ ./mongo --host --port 27017 --ssl --sslCAFile ~/ssl_cert_location/mongodb6.pem
          MongoDB shell version v4.0.1
          connecting to: mongodb://
          MongoDB server version: 3.6.5
          WARNING: shell and server versions do not match
        MongoDB Enterprise > use admin
          switched to db admin

      PyMongo fails hostname matching to such a server because the hostname,, is an IP address and therefor is only compared to iPAddress subjectAltName. As far as I can tell PyMongo (and CPython) are following the relevant RFCs with respect to IP address matching. From RFC 2818

      In some cases, the URI is specified as an IP address rather than a
      hostname. In this case, the iPAddress subjectAltName must be present
      in the certificate and must exactly match the IP in the URI.

      From RFC 6125 : Comparison of IP Addresses

      When the reference identity is an IP address, the identity MUST be
      converted to the "network byte order" octet string representation
      [IP] [IPv6]. For IP Version 4, as specified in RFC 791, the octet
      string will contain exactly four octets. For IP Version 6, as
      specified in RFC 2460, the octet string will contain exactly sixteen
      octets. This octet string is then compared against subjectAltName
      values of type iPAddress. A match occurs if the reference identity
      octet string and value octet strings are identical.

      So I think the mongo shell is performing non-standard subject alt name comparisons between IP addresses and DNS subjectAltNames.


          Issue Links



              backlog-server-security Backlog - Security Team
              shane.harvey Shane Harvey
              0 Vote for this issue
              7 Start watching this issue