[SERVER-17120] Improperly signed certificates may pass hostname validation Created: 29/Jan/15  Updated: 13/Aug/16  Resolved: 21/Jul/16

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: 3.0.0-rc7
Fix Version/s: 3.3.11

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Kinh Hoang
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Backwards Compatibility: Minor Change
Operating System: ALL
Sprint: Security 7 08/10/15, Security 8 08/28/15, Security 9 (09/18/15), Security (08/08/16)
Participants:

 Description   

If a CA improperly signs a certificate which does not obey the properties required for member authentication, hostname validation may not function correctly.



 Comments   
Comment by Githook User [ 21/Jul/16 ]

Author:

{u'name': u'Hai-Kinh Hoang', u'email': u'haikinh.hoang@mongodb.com'}

Message: SERVER-14769 SERVER-17120 Improve the "The server certificate does not match the host name " error
Branch: master
https://github.com/mongodb/mongo/commit/28d04fda95321c84c402338c0849155140dc6cff

Comment by Spencer Jackson [ 24/Sep/15 ]

It looks like I introduced a bug with this commit. I've reverted in v3.0 and master. CNs which were not at the end of the string were not handled correctly. The names we extracted would contain 3 characters after the end of the CN.

Comment by Githook User [ 24/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: Revert "SERVER-17120 Check existance of CN in X509 subject"

This reverts commit ed7d08187adc2f84574e16b0c9149d886b6e14a6.
Branch: v3.0
https://github.com/mongodb/mongo/commit/c3f3c4aa553b30d4a67a85ec14c150a12d8fa424

Comment by Githook User [ 24/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: Revert "SERVER-17120 Check existance of CN in X509 subject"

This reverts commit fadaf9680288070439ed9a9ed4ed847a33209493.
Branch: master
https://github.com/mongodb/mongo/commit/fcfd882234fc3ff39e18e7bd346a053c5a48b0de

Comment by Githook User [ 23/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-17120 Check existance of CN in X509 subject

(cherry picked from commit fadaf9680288070439ed9a9ed4ed847a33209493)
Branch: v3.0
https://github.com/mongodb/mongo/commit/ed7d08187adc2f84574e16b0c9149d886b6e14a6

Comment by Githook User [ 01/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-17120 Check existance of CN in X509 subject
Branch: master
https://github.com/mongodb/mongo/commit/fadaf9680288070439ed9a9ed4ed847a33209493

Generated at Thu Feb 08 03:43:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.