[SERVER-14861] SSL hostname matching does not strictly follow RFC 2818 Created: 12/Aug/14  Updated: 11/Jul/16  Resolved: 24/Sep/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.7.7

Type: Bug Priority: Major - P3
Reporter: Bernie Hackett Assignee: Amalia Hawkins
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-14516 Replace old jstests/ ssl certificates Closed
Operating System: ALL
Participants:

 Description   

This came up in connection to SERVER-14516. If both a subject and subject alternative names exist the server will match against both. RFC 2818 requires the subject be ignored if subjectAltNames exist.

From section 3.1 in http://tools.ietf.org/html/rfc2818.html:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

The test certs created for SERVER-14516 will have to be regenerated to include 'server' as a subjectAltName.



 Comments   
Comment by Githook User [ 24/Sep/14 ]

Author:

{u'username': u'hawka', u'name': u'Amalia Hawkins', u'email': u'amalia.hawkins@10gen.com'}

Message: SERVER-14861: Ensure that SSL hostname matching strictly follows RFC 2818
Branch: master
https://github.com/mongodb/mongo/commit/5d580ba3135bc42fa9b3ab9a26243560bf59776e

Generated at Thu Feb 08 03:36:12 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.