[DOCS-13817] [TOOLS] sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely Created: 10/Aug/20  Updated: 30/Oct/23

Status: Closed
Project: Documentation
Component/s: manual, tools
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Task Priority: Major - P3
Reporter: Anonymous Assignee: Unassigned
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents TOOLS-2587 sslAllowInvalidHostnames bypass ssl/t... Closed
Participants:
Days since reply: 1 year, 14 weeks, 2 days ago
Epic Link: DOCSP-11348

 Description   

Description

In all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket.

Engineering Description
From the doc, it shows: --sslAllowInvalidHostnames

Disables the validation of the hostnames in TLS/SSL certificates. Allows mongodump to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname.

However, in our implementation, it's treated the same as SSLAllowInvalidCert which bypasses the validation checks for server certificates and allows the use of invalid certificate. 

https://github.com/mongodb/mongo-tools-common/blob/447a935858a70d71d22b02fa9ae67e19565d66c9/db/db.go#L459

if opts.SSLAllowInvalidCert || opts.SSLAllowInvalidHost
{ tlsConfig.InsecureSkipVerify = true }

This behavior would cause confusion to the user and also contradicts to the document. 

I believe this problem exists in all the tools and mongomirror.

After some research into the issue, I found there is no setting to ignore hostname validation in tlsConfig, thus it's not possible to fix this from the tools library. Mongo Go driver needs to introduce a new flag in ClientOptions. 

Implementation can be referred to here https://github.com/golang/go/issues/21971

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Education Bot [ 31/Oct/22 ]

Hello! This ticket has been closed due to inactivity. If you believe this ticket is still important, please reopen it and leave a comment to explain why. Thank you!

Generated at Thu Feb 08 08:08:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.