[SERVER-20093] allowInvalidHostnames doesn't fail when valid cert but hostname doesn't match Created: 24/Aug/15  Updated: 25/Aug/15  Resolved: 25/Aug/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.5
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Robert Grimball Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Start server with allowInvalidHostnames false.
Create valid certificate from CA.
Try to connect from a different host with the certificate issued.

Sprint: Security 8 08/28/15
Participants:

 Description   

With a server configured as below for SSL :

SSL options : 
    ssl:
        mode: requireSSL
        PEMKeyFile: /mongodb/certs/mongodb.pem
        CAFile: /mongodb/certs/ca.cer
        allowConnectionsWithoutCertificates: false
        allowInvalidCertificates: false
        allowInvalidHostnames: false

We are starting mongo client with following command :

mongo --host mongodb.domain.com --ssl --sslCAFile /home/certs/ca.cer --sslPEMKeyFile ./ssl.pem

However, the SSL certificate is for ABC.domain.com which is a valid certificate from the CA, however, we are using that certificate from hostname DEF.domain.com, and the connection is allowed/successful.

I would assume that the option allowInvalidHostnames being false would force a dns lookup on the hostname in the certificate and it should match the IP of the inbound connection, and if not fail the connection.



 Comments   
Comment by Andreas Nilsson [ 25/Aug/15 ]

Hi rgrimball,

Certificate hostname validation can only be performed when making an outgoing connection. When you receive an incoming connection the receiving server has no concept of the DNS name of the connecting party.

I'm gonna close this ticket as "Works as Designed". If you have more questions feel free to file a Commercial Support ticket or ask a question in the MongoDB user group: https://groups.google.com/forum/#!forum/mongodb-user

Thanks,
Andreas

Generated at Thu Feb 08 03:53:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.