[DOCS-9725] SAN / CN usage in `mongo` ssl validation Created: 05/Jan/17  Updated: 30/Oct/23  Resolved: 12/Aug/18

Status: Closed
Project: Documentation
Component/s: Server
Affects Version/s: None
Fix Version/s: Server_Docs_20231030

Type: Bug Priority: Major - P3
Reporter: Rahul Dhodapkar Assignee: Kay Kim (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 5 years, 26 weeks, 3 days ago
Epic Link: DOCSP-1769

 Description   

MongoDB Documentation on TLS/SSL Configuration

https://docs.mongodb.com/manual/tutorial/configure-ssl-clients/

reads :

If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. If the hostname does not match the CN/SAN, mongo will fail to connect.

However, this is somewhat misleading. If one or more SAN entries is present, mongo will ignore the CN completely. I suggest rewording to:

If your MongoDB deployment uses SSL, you must also specify the --host option. mongo verifies that the hostname of the mongod or mongos to which you are connecting matches the CN or SAN of the mongod or mongos‘s --sslPEMKeyFile certificate. However, if one or more SAN entries exist, then mongo will not check the CN, even if it matches. If the hostname does not match the CN/SAN, mongo will fail to connect.



 Comments   
Comment by Githook User [ 12/Aug/18 ]

Author:

{'username': 'kay-kim', 'email': 'kay.kim@10gen.com', 'name': 'kay'}

Message: DOCS-9180, DOCS-9725: clarify tls mongo shell server certificate hostname validation
Branch: v3.4
https://github.com/mongodb/docs/commit/9f78f8736ae229df61f387f739559cf1a1a8ff72

Comment by Githook User [ 12/Aug/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-9180, DOCS-9725: clarify tls mongo shell server certificate hostname validation
Branch: v3.6
https://github.com/mongodb/docs/commit/39f4269df05b341ee42f830f2f7453c5e44e7f60

Comment by Githook User [ 12/Aug/18 ]

Author:

{'name': 'kay', 'email': 'kay.kim@10gen.com', 'username': 'kay-kim'}

Message: DOCS-9180, DOCS-9725: tls mongo shell server certificate hostname validation + update to configure ssl client page
Branch: master
https://github.com/mongodb/docs/commit/a155e99a105da8414f33281c56202cf878409613

Generated at Thu Feb 08 07:59:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.