[DOCS-9180] Document required CN / subjectAltName configuration for TLS certificates Created: 20/Oct/16  Updated: 16/Aug/18  Resolved: 12/Aug/18

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Bernie Hackett Assignee: Kay Kim (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-10488 SSL/TLS x.509 certificate creation gu... Closed
Participants:
Days since reply: 5 years, 26 weeks, 3 days ago
Epic Link: DOCSP-1769

 Description   

We often get questions from users about TLS handshake failures that are caused by misconfigured TLS certificates. The server and client drivers use the hostname verification algorithm described in RFC2818 Section 3.1, specifically this text:

If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.

Users often create TLS certificates that have a SAN dNSName of something like "foo.example.com", and a CN of something like "foobar.example.com". They try to connect to foobar.example.com and the TLS handshake fails, leading to a lot of confusion.

TLS is complicated and difficult to explain. Let's try to give the users a fighting chance in this case.



 Comments   
Comment by Githook User [ 12/Aug/18 ]

Author:

{'username': 'kay-kim', 'email': 'kay.kim@10gen.com', 'name': 'kay'}

Message: DOCS-9180, DOCS-9725: clarify tls mongo shell server certificate hostname validation
Branch: v3.4
https://github.com/mongodb/docs/commit/9f78f8736ae229df61f387f739559cf1a1a8ff72

Comment by Githook User [ 12/Aug/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-9180, DOCS-9725: clarify tls mongo shell server certificate hostname validation
Branch: v3.6
https://github.com/mongodb/docs/commit/39f4269df05b341ee42f830f2f7453c5e44e7f60

Comment by Githook User [ 12/Aug/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-9180, DOCS-9725: tls mongo shell server certificate hostname validation + update to configure ssl client page
Branch: master
https://github.com/mongodb/docs/commit/a155e99a105da8414f33281c56202cf878409613

Comment by Bernie Hackett [ 20/Oct/16 ]

This also matches the behavior of the built in hostname verification in OpenSSL >= 1.0.2 (previous versions didn't support hostname verification).

https://www.openssl.org/docs/manmaster/crypto/X509_check_host.html

The X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT flag causes the function to consider the subject DN even if the certificate contains at least one subject alternative name of the right type (DNS name or email address as appropriate); the default is to ignore the subject DN when at least one corresponding subject alternative names is present.

Generated at Thu Feb 08 07:57:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.