Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49079

Emit startup warning if split horizons contain IP addresses

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.8.0
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Sprint:
      Security 2020-08-24, Security 2020-09-21, Security 2020-10-05
    • Linked BF Score:
      37

      Description

      Split Horizons rely on SNI to identify which horizon clients are a member of, and should observe topology information from. SNI is defined in RFC6066, which states:

      Currently, the only server names supported are DNS hostnames;
      ...
      Literal IPv4 and IPv6 addresses are not permitted in "HostName".

      Because it is not permissible, by the standard, to advertise IP addresses in the SNI extension, some TLS client implementations have inconsistent behaviour when asked to connect to servers with IP addresses in horizon definitions. The mongo shell, as of SERVER-42287, will refuse to advertise such extensions.

      We should complain, loudly, if horizons are configured like this.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              adam.cooper Adam Cooper (Inactive)
              Reporter:
              spencer.jackson Spencer Jackson
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: