[JAVA-2184] No subject alternative names matching IP address // Subject Alternative Name only DNS entry Created: 03/May/16 Updated: 11/Sep/19 Resolved: 20/May/16 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | Connection Management |
| Affects Version/s: | 3.2.1 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Stefan Siegl | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Windows, Linux |
||
| Issue Links: |
|
||||
| Description |
|
Hello, I´m trying to connect to a mongod instance on CentOS with the Java driver from my windows-pc. The mongod is configured as follows:
A connection from my windows with the commandline works:
Also from MongoChef, but I get an exception when I try to execute the following snippet:
The stacktrace is:
The certificate was also used for the application running on the same server without any trouble. It contains following SAN entry: |
| Comments |
| Comment by Stefan Siegl [ 20/May/16 ] | |||||||||||||||||||||||||
|
Thank you Jeff for your support. You can close this ticket. BR | |||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 19/May/16 ] | |||||||||||||||||||||||||
|
That's great news, though I've not been able to track down a bug report for the JDK related to this. Regardless, do you consider the issue resolved then? If so, I'll close this ticket. | |||||||||||||||||||||||||
| Comment by Stefan Siegl [ 19/May/16 ] | |||||||||||||||||||||||||
|
Hi Jeff, I´m using the following version. java -version EDIT : With version 1.8.0_92 your test programm runs without any exceptions. And my little test-programm can connect to the mongodb with ssl. With version 1.8.0_51 your and my test programm exit with an exception. | |||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 18/May/16 ] | |||||||||||||||||||||||||
|
Hi Stefan, I'm not clear on why your application is taking the code path into sun.security.util.HostnameChecker.matchIP, instead of into sun.security.util.HostnameChecker.matchDNS. If you're specifying the DNS name, or even an IP address that resolves to a DNS name, that shouldn't happen. Which JDK are you using? | |||||||||||||||||||||||||
| Comment by Stefan Siegl [ 09/May/16 ] | |||||||||||||||||||||||||
I think the problem is the way how checking the identity of the server. The article from stackoverflow explains very well, how client should check the identity of a server. Link: He refers to section 3.1 of the RFC 2818 (http://tools.ietf.org/html/rfc2818#section-3.1). The implementation requires an entry for the IP address in the subjectAltName-Field. This is not the case for all certificates in the web. For example microsoft.com has different entries for the subjectAltName and google.de has also one DNS-entry for the subjectAltName, but no entry for the IP-address. According openssl and some certificate checkers from the web, the certificate I use is valid. Is there a way to modify the way how verify the servers identity without to disabling the check? | |||||||||||||||||||||||||
| Comment by Jeffrey Yemin [ 05/May/16 ] | |||||||||||||||||||||||||
|
Please try connecting with a simple Java program like this:
This is basically what the Java driver itself is doing, as it defers all SSL handling to the SSLSocketFactory. |