[DOCS-14322] Investigate changes in SERVER-55119: Create startup warning indicating that X.509 certificates without SANs are deprecated Created: 29/Mar/21  Updated: 13/Nov/23  Resolved: 11/Jan/22

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.2.15, 4.4.7, 5.0.0-rc0, 4.0.26, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Ian Fogelman
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
backported by DOCS-14584 [BACKPORT] [v4.4] SERVER Create start... Closed
backported by DOCS-14586 [SERVER] [Backport v4.2] Create start... Closed
backported by DOCS-14588 [SERVER] [Backport v4.0] Create start... Closed
Documented
documents SERVER-55119 Create startup warning indicating tha... Closed
Participants:
Days since reply: 2 years, 3 weeks ago
Epic Link: DOCSP-15042
Story Points: 3

 Description   

Description

Downstream Change Summary

Following line needs to be added to release notes:

  • TLS connections would now issue a startup warning when their certificates do not include Subject Alternative Name attribute

Description of Linked Ticket

X.509 certificates have had two mechanisms for defining the hostname they bind their public key to.
If a Subject Alternative Name is present in the certificate, the names defined there are considered to be bound.
If no SAN is present, but the certificate's subject name contains a Common Name component, and that Common Name was interpretable as a hostname, that hostname was considered bound.

The Common Name has been considered deprecated by Subject Alternative Names, because Common Names don't, semantically, have anything to do with hostnames.

Various cryptographic libraries are removing support for hostname validation via common names. Apple's TLS framework stopped recognizing common names in iOS 13 and MacOS 10.15. Go 1.15 no longer recognizes common names by default, and the tunable knob will be removed in a future release.

Clients using these platforms will find themselves unable to connect to MongoDB servers which use X509 certificate whose hostnames are advertised by CommonName attributes.

We should indicate that these style of certificates are deprecated and should be replaced to all administrators whose servers use them. We should parse the server's server certificate at startup and emit a startup warning if it doesn't have a SAN. We should backport this change to all supported releases.

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Githook User [ 20/Jan/22 ]

Author:

{'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}

Message: DOCS-14322 init (#358)
Branch: v5.2
https://github.com/10gen/docs-mongodb-internal/commit/d2abffa79cc857a2232ebc38437b95c476175f5e

Comment by Githook User [ 19/Jan/22 ]

Author:

{'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}

Message: DOCS-14322 init (#358)
Branch: master
https://github.com/10gen/docs-mongodb-internal/commit/d2abffa79cc857a2232ebc38437b95c476175f5e

Comment by Githook User [ 10/Jan/22 ]

Author:

{'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}

Message: DOCS-14322 v5.0 backport (#257)
Branch: v5.0
https://github.com/mongodb/docs/commit/ec676b916b84fa264efee188d3d78a1deca3e741

Comment by Githook User [ 10/Jan/22 ]

Author:

{'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}

Message: DOCS-14322 v5.1 backport (#255)
Branch: v5.1
https://github.com/mongodb/docs/commit/b6e3ad7314c65330332c85eccaf444ec1cbf3dd6

Comment by Githook User [ 10/Jan/22 ]

Author:

{'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}

Message: Docs-14322 add 509 certificate warning (#197)

  • update include verbiage
  • names -> name
  • Addressing Jason Edits #1
  • Glossary update
  • **
  • ***
  • Change glossary link
  • Use term decorator for Subject Alternative Name
  • Remove extra line in glossary.txt
  • Address Sergey comments #1
  • Added ref to mongod and mongos
Comment by Githook User [ 10/Jan/22 ]

Author:

{'name': 'ianf-mongodb', 'email': '85948430+ianf-mongodb@users.noreply.github.com', 'username': 'ianf-mongodb'}

Message: Docs-14322 add 509 certificate warning (#197)

  • update include verbiage
  • names -> name
  • Addressing Jason Edits #1
  • Glossary update
  • **
  • ***
  • Change glossary link
  • Use term decorator for Subject Alternative Name
  • Remove extra line in glossary.txt
  • Address Sergey comments #1
  • Added ref to mongod and mongos
Generated at Thu Feb 08 08:10:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.