Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49079

Emit startup warning if split horizons contain IP addresses

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.8.0
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • Security 2020-08-24, Security 2020-09-21, Security 2020-10-05
    • 37

      Split Horizons rely on SNI to identify which horizon clients are a member of, and should observe topology information from. SNI is defined in RFC6066, which states:

      Currently, the only server names supported are DNS hostnames;
      ...
      Literal IPv4 and IPv6 addresses are not permitted in "HostName".

      Because it is not permissible, by the standard, to advertise IP addresses in the SNI extension, some TLS client implementations have inconsistent behaviour when asked to connect to servers with IP addresses in horizon definitions. The mongo shell, as of SERVER-42287, will refuse to advertise such extensions.

      We should complain, loudly, if horizons are configured like this.

            Assignee:
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: