Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.8.0
Affects Version/s: None
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Sprint:
Security 2020-08-24, Security 2020-09-21, Security 2020-10-05
Linked BF Score:
37
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

Split Horizons rely on SNI to identify which horizon clients are a member of, and should observe topology information from. SNI is defined in RFC6066, which states:

Currently, the only server names supported are DNS hostnames;
...
Literal IPv4 and IPv6 addresses are not permitted in "HostName".

Because it is not permissible, by the standard, to advertise IP addresses in the SNI extension, some TLS client implementations have inconsistent behaviour when asked to connect to servers with IP addresses in horizon definitions. The mongo shell, as of ~~SERVER-42287~~, will refuse to advertise such extensions.

We should complain, loudly, if horizons are configured like this.

has to be done before

SERVER-50827 Nodes with IP addresses in split horizons are unable to start

Closed

Assignee:: Adam Cooper (Inactive)
Reporter:: Spencer Jackson
Participants:: Adam Cooper, Githook User, Spencer Jackson
Votes:: 0 Vote for this issue
Watchers:: 3 Start watching this issue

Created:: Jun 24 2020 10:15:15 PM UTC
Updated:: Oct 29 2023 10:06:33 PM UTC
Resolved:: Sep 23 2020 02:46:29 PM UTC
Confidence Status Last Update:: 20/Aug/20 8:58 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates