Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43739

SNI name is not set on OSX if allowInvalidHostnames is enabled

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.4.0-rc2, 4.7.0, 4.2.12
    • None
    • None
    • Minor Change
    • ALL
    • v4.4, v4.2
    • Hide

      ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem --tlsAllowInvalidHostnames local.10gen.cc
      

      ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem local.10gen.cc
      

      Show
      ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem --tlsAllowInvalidHostnames local.10gen.cc ./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem local.10gen.cc
    • Security 2020-04-06, Security 2020-04-20

    Description

      Because of the way Apple's TLS library works, we have no direct way of manually setting or disabling the TLS SNI extension separately from the PeerDomainName in our usage of SSLSetPeerDomainName.

      Because of this, Apple's TLS library will naively advertise an IP address as an SNI name if it is provided as the PeerDomainName. This is against the TLS spec per RFC 6066, Section 3. We removed the advertisement of IP addresses in the SNI extension in SERVER-42287 and SERVER-43234.

      However, when allowInvalidHostnames is enabled, the PeerDomainName is cleared, and SNI is not advertised, which causes test failure and potentially confusion for anything that needs to use the SNI for whatever reason.

      Attachments

        Activity

          People

            sara.golemon@mongodb.com Sara Golemon
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: