[CDRIVER-2481] "-DENABLE_SSL=OPENSSL" would not allow user connect server with ip address Created: 31/Jan/18  Updated: 27/Oct/23  Resolved: 08/Feb/18

Status: Closed
Project: C Driver
Component/s: libmongoc
Affects Version/s: 1.7.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: winnie_quest Assignee: A. Jesse Jiryu Davis
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File dd.png    
Issue Links:
Related
related to SERVER-33069 mongo shell can't connect to the serv... Closed
related to SERVER-24591 Support hostname validation with IP a... Closed

 Description   

mongo c driver: 1.7.0
mongo cxx driver: r3.1.3

if I compile the c driver with "-DENABLE_SSL=OPENSSL", I do the following tests:
case 1: the host's cert's CN is ip address, connect with ip address, failed.
error info:

connection failed: No suitable servers found (`serverSelectionTryOnce` set): [TL
S handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:cert
ificate verify failed calling ismaster on '10.154.10.39:27017']: generic server
error

  • case 2*: the host's cert's CN is hostname , connect with host name , successful.

but I can connect with mongo.exe successfully for both two cases.
what's more , such issue disappears if I compile the driver with "-DENABLE_SSL=WINDOWS"



 Comments   
Comment by winnie_quest [ 08/Feb/18 ]

but if the IP address is in CN field, mongo c driver still can't connect to the server with the IP address

Comment by A. Jesse Jiryu Davis [ 08/Feb/18 ]

Thanks for your answer. I'm closing this issue for now, I think the C Driver does the approximately the correct thing when an SSL certificate includes an IP address.

Comment by winnie_quest [ 08/Feb/18 ]

thanks. I tested with mongo c driver 1.7.0, the driver could connect to mongo server with IP address if the ip address is in server's SAN. but the shell can't do it,
thanks a lot

Comment by A. Jesse Jiryu Davis [ 07/Feb/18 ]

Hi, the C Driver with OpenSSL can connect using an IP address if the IP address is a Subject Alternative Name. I successfully tested this on Windows with OpenSSL 1.0.2n. I downloaded the Certificate Authority file ca.pem from the MongoDB test files. I made a file "extensions.cnf" containing:

[v3_req]
basicConstraints = CA:TRUE
subjectAltName = IP:127.0.0.1

Then:

openssl req -new -nodes -keyout test.key -out myserver_san_ip.csr -subj "/C=US/ST=NY/O=MongoDB/CN=x509server/emailAddress=jesse@mongodb.com"
 
openssl x509 -req -days 3650 -in myserver_san_ip.csr -CA ca.pem -out myserver_san_ip.crt -extfile extensions.cnf -extensions v3_req -CAcreateserial
 
cat test.key myserver_san_ip.crt > myserver_san_ip.pem
 
mongod.exe --sslOnNormalPorts --sslPEMKeyFile myserver_san_ip.pem --sslCAFile ca.pem  --sslAllowConnectionsWithoutCertificates

Then, after building libmongoc 1.9.2 with OpenSSL, I ran the example-client program:

./Debug/example-client.exe mongodb://127.0.0.1/?sslcertificateauthorityfile=ca.pem

The driver connects to the server successfully.

If you're curious, the relevant portions of the C Driver code that handle IP addresses in hostnames and Subject Alternative Names are in mongoc_stream_tls_openssl_new and _mongoc_openssl_check_cert.

Although the C Driver supports connecting to a server over SSL with an IP address in the URI, so long as the IP address is one of the server certificate's Subject Alternative Names, I wouldn't recommend starting MongoDB with a certificate that includes an IP address, since the mongo shell can only connect to it by hostname.

Comment by winnie_quest [ 02/Feb/18 ]

as you suggested, I create https://jira.mongodb.org/browse/SERVER-33069

Comment by A. Jesse Jiryu Davis [ 02/Feb/18 ]

We'll investigate, thank you, but I don't know whether we can make OpenSSL's certificate validation accept this cert or not. We shall see. I propose you file a ticket in the SERVER project as well to request the same change for the mongo shell, if it's possible.

Comment by winnie_quest [ 02/Feb/18 ]

thanks for your reply, Jesse.
well, I should say it's medium urgent.
our product is working as a connector, allowing user to connect to mongoDB. we can't require our customer always use hostname for CN in their server's certificate,
the workaround that I can figure out is to use "ssl_options.allow_invalid_certificates(true); " , but you know it's not safe.
so I suggest you do the fix, 'cause I think it's still very common for people to connect to a server using IP address.

Comment by A. Jesse Jiryu Davis [ 01/Feb/18 ]

The mongo shell also uses OpenSSL. I see that the Subject Alternative Name technique didn't work for an IP Address.

Could you tell me how urgent this is please? One idea is to set up your machine's local DNS (using something like /etc/hosts) to say that the name "x509server" maps to your desired IP, and use a server certificate for "x509server".

Comment by winnie_quest [ 01/Feb/18 ]

hi, I create the pem with SAN by the follows steps:
1. sudo openssl req -new -key myserver.key -out myserver_san_ip.csr -subj "/C=AU/ST=NSW/O=test/CN=x509server/emailAddress=user@domain.com"
2. sudo openssl x509 -req -days 3650 -in myserver_san_ip.csr -CA ca.crt -CAkey ca.key -set_serial 01 -extensions v3_req -extfile a.txt -out myserver_san_ip.crt

a.txt 's content is :
[v3_req]
basicConstraints = CA:TRUE
subjectAltName = IP:10.154.10.39

then use :" openssl x509 -text -noout -in myserver_san_ip.crt" to check the SAN field.see

3. sudo sh -c "cat myserver.key myserver_san_ip.crt > myserver_san_ip.pem"

with this new pem file, I restarted mongod server
then try to connect with mongo shell : mongo --host 10.154.10.39 --ssl --sslCAFile ca.pem --sslPEMKeyFile myclient.pem
but still get the error :
2018-02-01T03:56:53.109+0800 E NETWORK [thread1] The server certificate does not match the host name. Hostname: 10.154.10.39 does not match SAN(s):
2018-02-01T03:56:53.110+0800 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name. Hostname: 10.154.10.39 does not match SAN(s): :
connect@src/mongo/shell/mongo.js:237:13
@(connect):1:6
exception: connect failed

Comment by A. Jesse Jiryu Davis [ 31/Jan/18 ]

https://cabforum.org/guidance-ip-addresses-certificates/

Comment by A. Jesse Jiryu Davis [ 31/Jan/18 ]

Hmm, I'm not certain what's happening here. From a bit of research it seems to me that having an IP address as the certificate's Common Name is deprecated - perhaps OpenSSL now prohibits a certificate with IP address as the CN, while Windows Secure Channel still allows it.

Can you try a certificate with the IP address as the "Subject Alternative Name" instead of the Common Name?

Generated at Wed Feb 07 21:15:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.