[DOCS-14322] Investigate changes in SERVER-55119: Create startup warning indicating that X.509 certificates without SANs are deprecated Created: 29/Mar/21 Updated: 13/Nov/23 Resolved: 11/Jan/22 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual, Server |
| Affects Version/s: | None |
| Fix Version/s: | 4.2.15, 4.4.7, 5.0.0-rc0, 4.0.26, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Backlog - Core Eng Program Management Team | Assignee: | Ian Fogelman |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Days since reply: | 2 years, 3 weeks ago | ||||||||||||||||||||||||
| Epic Link: | DOCSP-15042 | ||||||||||||||||||||||||
| Story Points: | 3 | ||||||||||||||||||||||||
| Description |
DescriptionDownstream Change Summary Following line needs to be added to release notes:
Description of Linked Ticket X.509 certificates have had two mechanisms for defining the hostname they bind their public key to. The Common Name has been considered deprecated by Subject Alternative Names, because Common Names don't, semantically, have anything to do with hostnames. Various cryptographic libraries are removing support for hostname validation via common names. Apple's TLS framework stopped recognizing common names in iOS 13 and MacOS 10.15. Go 1.15 no longer recognizes common names by default, and the tunable knob will be removed in a future release. Clients using these platforms will find themselves unable to connect to MongoDB servers which use X509 certificate whose hostnames are advertised by CommonName attributes. We should indicate that these style of certificates are deprecated and should be replaced to all administrators whose servers use them. We should parse the server's server certificate at startup and emit a startup warning if it doesn't have a SAN. We should backport this change to all supported releases. Scope of changesImpact to Other DocsMVP (Work and Date)Resources (Scope or Design Docs, Invision, etc.) |
| Comments |
| Comment by Githook User [ 20/Jan/22 ] |
|
Author: {'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}Message: |
| Comment by Githook User [ 19/Jan/22 ] |
|
Author: {'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}Message: |
| Comment by Githook User [ 10/Jan/22 ] |
|
Author: {'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}Message: |
| Comment by Githook User [ 10/Jan/22 ] |
|
Author: {'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}Message: |
| Comment by Githook User [ 10/Jan/22 ] |
|
Author: {'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}Message: Docs-14322 add 509 certificate warning (#197)
|
| Comment by Githook User [ 10/Jan/22 ] |
|
Author: {'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}Message: Docs-14322 add 509 certificate warning (#197)
|