Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49081

Disallow IP addresses in split horizon configurations

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 4.7.0
    • None
    • Replication, Security
    • None
    • Fully Compatible
    • Security 2020-08-10
    • 37

    Description

      Split Horizons rely on SNI to identify which horizon clients are a member of, and should observe topology information from. SNI is defined in RFC6066, which states:

      Currently, the only server names supported are DNS hostnames;
      ...
      Literal IPv4 and IPv6 addresses are not permitted in "HostName".

      Because it is not permissible, by the standard, to advertise IP addresses in the SNI extension, some TLS client implementations have inconsistent behaviour when asked to connect to servers with IP addresses in horizon definitions. The mongo shell, as of SERVER-42287, will refuse to advertise such extensions.

      We should prevent invocations of replSetInitiate or replSetReconfig from accepting split horizon definitions which contain IP addresses in horizon definitions.

      Attachments

        Activity

          People

            gabriel.marks@mongodb.com Gabriel Marks
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: