[DRIVERS-320] Add SNI Support Created: 18/Aug/16  Updated: 15/May/19  Resolved: 08/Dec/16

Status: Closed
Project: Drivers
Component/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Rathi Gnanasekaran Assignee: Unassigned
Resolution: Done Votes: 0
Labels: newdriver
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on NODE-799 Allow TLS SNI servername to be passed... Closed
depends on CSHARP-1753 Add TLS SNI Support Closed
depends on CXX-1004 Add TLS SNI support Closed
depends on JAVA-2289 Add TLS SNI Support Closed
depends on RUBY-1140 Add TLS SNI Support Closed
depends on RUST-28 Add SNI Support Closed
depends on PYTHON-1132 Support TLS SNI when available. Closed
is depended on by CDRIVER-1489 Add TLS SNI Support Closed
Related
related to SERVER-25684 Have client support SNI Closed
is related to DRIVERS-338 Test SNI support Closed
Driver Compliance:
Key Status/Resolution FixVersion
PYTHON-1132 Done 3.4
PERL-656 Done
NODE-799 Done 2.2.7
JAVA-2289 Done 3.4.0
CSHARP-1753 Done 2.4
RUBY-1140 Done 2.4.0
SCALA-256 Won't Fix
CXX-1004 Won't Fix
RUST-28 Fixed 0.9.0-alpha
SWIFT-475 Done

 Comments   
Comment by Rathi Gnanasekaran [ 08/Dec/16 ]

Closing ticket as all linked tickets are closed.

Comment by Bernie Hackett [ 24/Aug/16 ]

Note that, depending on your TLS implementation, SNI support may or may not work for IPv4 and / or IPv6 literals. The RFC explicitly states that IPv4 and IPv6 literals are not supported, but OpenSSL doesn't appear to care. By comparison, Java's SNI implementation raises an exception if you pass it an IPv6 literal as hostname.

Logs from the server when using IP literals through OpenSSL:

2016-08-23T17:18:10.618-0700 D NETWORK  [conn97] new ssl connection, SNI server name [::1]
2016-08-23T17:19:07.532-0700 D NETWORK  [conn99] new ssl connection, SNI server name [127.0.0.1]

Comment by Bernie Hackett [ 24/Aug/16 ]

The SNI patch has been committed to mongo master. To test that your client is using SNI, increase the log level of mongod (-v is all you need) and look for a message like this in the log:

2016-08-23T16:58:04.407-0700 D NETWORK  [conn1] new ssl connection, SNI server name [server]

Comment by Hannes Magnusson [ 20/Aug/16 ]

I've verified this ticket for:

  • mongoc 1.4.0 Secure Transport
  • mongoc 1.5.0 (OpenSSL in CR)
  • mongoc 1.5.0 (LibreSSL (libtssl / libtls in CR)
  • mongoc 1.5.0 (Secure Channel, in CR)
  • HHVM and PHP drivers built on mongoc 1.4+ and later
  • PHP Support via stream contexts in PHP 5.6+ and later (not native mongo extension support)

mongoc is lacking verification of Windows Secure Channel build though

Generated at Thu Feb 08 08:21:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.