[CDRIVER-2481] "-DENABLE_SSL=OPENSSL" would not allow user connect server with ip address Created: 31/Jan/18 Updated: 27/Oct/23 Resolved: 08/Feb/18 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | libmongoc |
| Affects Version/s: | 1.7.0 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | winnie_quest | Assignee: | A. Jesse Jiryu Davis |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||
| Issue Links: |
|
||||||||||||
| Description |
|
mongo c driver: 1.7.0 if I compile the c driver with "-DENABLE_SSL=OPENSSL", I do the following tests: connection failed: No suitable servers found (`serverSelectionTryOnce` set): [TL
but I can connect with mongo.exe successfully for both two cases. |
| Comments |
| Comment by winnie_quest [ 08/Feb/18 ] | |||||||||||
|
but if the IP address is in CN field, mongo c driver still can't connect to the server with the IP address | |||||||||||
| Comment by A. Jesse Jiryu Davis [ 08/Feb/18 ] | |||||||||||
|
Thanks for your answer. I'm closing this issue for now, I think the C Driver does the approximately the correct thing when an SSL certificate includes an IP address. | |||||||||||
| Comment by winnie_quest [ 08/Feb/18 ] | |||||||||||
|
thanks. I tested with mongo c driver 1.7.0, the driver could connect to mongo server with IP address if the ip address is in server's SAN. but the shell can't do it, | |||||||||||
| Comment by A. Jesse Jiryu Davis [ 07/Feb/18 ] | |||||||||||
|
Hi, the C Driver with OpenSSL can connect using an IP address if the IP address is a Subject Alternative Name. I successfully tested this on Windows with OpenSSL 1.0.2n. I downloaded the Certificate Authority file ca.pem from the MongoDB test files. I made a file "extensions.cnf" containing:
Then:
Then, after building libmongoc 1.9.2 with OpenSSL, I ran the example-client program:
The driver connects to the server successfully. If you're curious, the relevant portions of the C Driver code that handle IP addresses in hostnames and Subject Alternative Names are in mongoc_stream_tls_openssl_new and _mongoc_openssl_check_cert. Although the C Driver supports connecting to a server over SSL with an IP address in the URI, so long as the IP address is one of the server certificate's Subject Alternative Names, I wouldn't recommend starting MongoDB with a certificate that includes an IP address, since the mongo shell can only connect to it by hostname. | |||||||||||
| Comment by winnie_quest [ 02/Feb/18 ] | |||||||||||
|
as you suggested, I create https://jira.mongodb.org/browse/SERVER-33069 | |||||||||||
| Comment by A. Jesse Jiryu Davis [ 02/Feb/18 ] | |||||||||||
|
We'll investigate, thank you, but I don't know whether we can make OpenSSL's certificate validation accept this cert or not. We shall see. I propose you file a ticket in the SERVER project as well to request the same change for the mongo shell, if it's possible. | |||||||||||
| Comment by winnie_quest [ 02/Feb/18 ] | |||||||||||
|
thanks for your reply, Jesse. | |||||||||||
| Comment by A. Jesse Jiryu Davis [ 01/Feb/18 ] | |||||||||||
|
The mongo shell also uses OpenSSL. I see that the Subject Alternative Name technique didn't work for an IP Address. Could you tell me how urgent this is please? One idea is to set up your machine's local DNS (using something like /etc/hosts) to say that the name "x509server" maps to your desired IP, and use a server certificate for "x509server". | |||||||||||
| Comment by winnie_quest [ 01/Feb/18 ] | |||||||||||
|
hi, I create the pem with SAN by the follows steps: a.txt 's content is : then use :" openssl x509 -text -noout -in myserver_san_ip.crt" to check the SAN field.see 3. sudo sh -c "cat myserver.key myserver_san_ip.crt > myserver_san_ip.pem" with this new pem file, I restarted mongod server | |||||||||||
| Comment by A. Jesse Jiryu Davis [ 31/Jan/18 ] | |||||||||||
| Comment by A. Jesse Jiryu Davis [ 31/Jan/18 ] | |||||||||||
|
Hmm, I'm not certain what's happening here. From a bit of research it seems to me that having an IP address as the certificate's Common Name is deprecated - perhaps OpenSSL now prohibits a certificate with IP address as the CN, while Windows Secure Channel still allows it. Can you try a certificate with the IP address as the "Subject Alternative Name" instead of the Common Name? |