[SERVER-13945] Match x.509 cluster certificates per attribute instead of substring comparison Created: 14/May/14 Updated: 11/Mar/15 Resolved: 22/May/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.6.1 |
| Fix Version/s: | 2.6.2, 2.7.1 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Andreas Nilsson | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backport Completed: | |||||||||||||
| Participants: | |||||||||||||
| Description |
|
We currently assume certificate subject distinguished names are on the form:
and use a simple substring comparison to determine if the organizational part of the DN is matching. To make the comparison more resilient we should instead parse the DN and match the relevant attributes O, OU, DC that together makes up the cluster id. Originally we wanted to match C but that might possibly break geo-clusters. |
| Comments |
| Comment by Githook User [ 23/May/14 ] | ||||||||||
|
Author: {u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}Message: | ||||||||||
| Comment by Andreas Nilsson [ 23/May/14 ] | ||||||||||
|
draft documentation: The member certificate’s subject, which contains the Distinguished Name (DN),
Note that the matching is done independent of the relative order of the RDN Examples:
matches
but does not match
And
matches
but does not match
| ||||||||||
| Comment by Githook User [ 22/May/14 ] | ||||||||||
|
Author: {u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}Message: |