[DOCS-13817] [TOOLS] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely Created: 10/Aug/20 Updated: 30/Oct/23 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual, tools |
| Affects Version/s: | None |
| Fix Version/s: | Server_Docs_20231030 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Anonymous | Assignee: | Unassigned |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 1 year, 14 weeks, 2 days ago | ||||||||
| Epic Link: | DOCSP-11348 | ||||||||
| Description |
DescriptionIn all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket. Engineering Description Disables the validation of the hostnames in TLS/SSL certificates. Allows mongodump to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname. However, in our implementation, it's treated the same as SSLAllowInvalidCert which bypasses the validation checks for server certificates and allows the use of invalid certificate.
This behavior would cause confusion to the user and also contradicts to the document. I believe this problem exists in all the tools and mongomirror. After some research into the issue, I found there is no setting to ignore hostname validation in tlsConfig, thus it's not possible to fix this from the tools library. Mongo Go driver needs to introduce a new flag in ClientOptions. Implementation can be referred to here https://github.com/golang/go/issues/21971 Scope of changesImpact to Other DocsMVP (Work and Date)Resources (Scope or Design Docs, Invision, etc.) |
| Comments |
| Comment by Education Bot [ 31/Oct/22 ] |
|
Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you! |