[SERVER-13945] Match x.509 cluster certificates per attribute instead of substring comparison Created: 14/May/14  Updated: 11/Mar/15  Resolved: 22/May/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.1
Fix Version/s: 2.6.2, 2.7.1

Type: Improvement Priority: Major - P3
Reporter: Andreas Nilsson Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to DOCS-3463 2.6.2 - update x509 cluster certifica... Closed
Backport Completed:
Participants:

 Description   

We currently assume certificate subject distinguished names are on the form:

CN=andreas.my, OU=Developers, O=MongoDB C=US

and use a simple substring comparison to determine if the organizational part of the DN is matching. To make the comparison more resilient we should instead parse the DN and match the relevant attributes O, OU, DC that together makes up the cluster id.

Originally we wanted to match C but that might possibly break geo-clusters.



 Comments   
Comment by Githook User [ 23/May/14 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-13945 Match x.509 cluster certs per attribute
(cherry picked from commit 81967a2dce1898d1f03938f0b5c27b8a37873877)
Branch: v2.6
https://github.com/mongodb/mongo/commit/81b9d6df4f2476f46a5896bafc1639c5899e3130

Comment by Andreas Nilsson [ 23/May/14 ]

draft documentation:

The member certificate’s subject, which contains the Distinguished Name (DN),
must match the subject of the certificate on the other servers in the cluster.
Two certificates are deemed to be part of the same cluster iff:

  • The set of O, OU and DC attributes present in the first certificate exactly
    matches the set present in the second certificate.
    O (organization), OU (organizationalUnit), DC (DNS component)
  • and the set of O, OU and DC attributes is not empty.

Note that the matching is done independent of the relative order of the RDN
attributes in the distinguished name.

Examples:

CN=host1,OU=Dept1,O=MongoDB,ST=NY,C=US 

matches

CN=host2,OU=Dept1,O=MongoDB,ST=ST,C=SE
CN=host2,OU=Dept1,O=MongoDB
C=US, ST=NY, O=MongoDB, OU=Dept1, CN=host1

but does not match

CN=host1,OU=Dept1,OU=Sales,O=MongoDB
CN=host1,OU=Dept2,O=MongoDB

And

CN=host1,DC=example,DC=com

matches

DC=example,DC=com,CN=host2

but does not match

CN=host2,DC=subdomain,DC=example,DC=com
CN=host2,DC=otherexample,DC=com

Comment by Githook User [ 22/May/14 ]

Author:

{u'username': u'agralius', u'name': u'Andreas Nilsson', u'email': u'andreas.nilsson@10gen.com'}

Message: SERVER-13945 Match x.509 cluster certs per attribute
Branch: master
https://github.com/mongodb/mongo/commit/81967a2dce1898d1f03938f0b5c27b8a37873877

Generated at Thu Feb 08 03:33:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.