Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
None
-
Fully Compatible
-
ALL
-
v4.0
-
Security 2018-09-10, Security 2018-09-24, Security 2018-10-08, Security 2018-10-22
-
(copied to CRM)
Description
We currently only consider "DNS Name" SANs (Subject Alternate Name) on clients when comparing the intended hostname with the one actually presented.
OpenSSL: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_openssl.cpp#L1364
SecureTransport: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_apple.cpp#L489
These name comparators should attempt to match IP address as well.
Case : If there is an IP address in the SAN field that is flagged with DNS Name instead of IP Address, then allow it and compare as an IP address, but flag the user with a warning upon startup of the console.
Attachments
Issue Links
- has to be done before
-
SERVER-36669 IP address hostnames are matched against DNS subjectAltNames
-
- Backlog
-
- is documented by
-
DOCS-12126 Docs for SERVER-36895: Test for SAN type "IP Address" in OpenSSL/SecureTransport TLS providers
-
- Closed
-
- is duplicated by
-
SERVER-24591 Support hostname validation with IP addresses in SAN
-
- Closed
-
- is related to
-
SERVER-24591 Support hostname validation with IP addresses in SAN
-
- Closed
-