[SERVER-20093] allowInvalidHostnames doesn't fail when valid cert but hostname doesn't match Created: 24/Aug/15 Updated: 25/Aug/15 Resolved: 25/Aug/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 3.0.5 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Robert Grimball | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Steps To Reproduce: | Start server with allowInvalidHostnames false. |
| Sprint: | Security 8 08/28/15 |
| Participants: |
| Description |
|
With a server configured as below for SSL :
We are starting mongo client with following command :
However, the SSL certificate is for ABC.domain.com which is a valid certificate from the CA, however, we are using that certificate from hostname DEF.domain.com, and the connection is allowed/successful. I would assume that the option allowInvalidHostnames being false would force a dns lookup on the hostname in the certificate and it should match the IP of the inbound connection, and if not fail the connection. |
| Comments |
| Comment by Andreas Nilsson [ 25/Aug/15 ] |
|
Hi rgrimball, Certificate hostname validation can only be performed when making an outgoing connection. When you receive an incoming connection the receiving server has no concept of the DNS name of the connecting party. I'm gonna close this ticket as "Works as Designed". If you have more questions feel free to file a Commercial Support ticket or ask a question in the MongoDB user group: https://groups.google.com/forum/#!forum/mongodb-user Thanks, |