Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49081

Disallow IP addresses in split horizon configurations

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.7.0
    • Affects Version/s: None
    • Component/s: Replication, Security
    • Labels:
      None
    • Fully Compatible
    • Security 2020-08-10
    • 37

      Split Horizons rely on SNI to identify which horizon clients are a member of, and should observe topology information from. SNI is defined in RFC6066, which states:

      Currently, the only server names supported are DNS hostnames;
      ...
      Literal IPv4 and IPv6 addresses are not permitted in "HostName".

      Because it is not permissible, by the standard, to advertise IP addresses in the SNI extension, some TLS client implementations have inconsistent behaviour when asked to connect to servers with IP addresses in horizon definitions. The mongo shell, as of SERVER-42287, will refuse to advertise such extensions.

      We should prevent invocations of replSetInitiate or replSetReconfig from accepting split horizon definitions which contain IP addresses in horizon definitions.

            Assignee:
            gabriel.marks@mongodb.com Gabriel Marks
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: