[SERVER-23645] The shell does certificate hostname checking when connected to unix domain socket Created: 11/Apr/16  Updated: 06/Dec/17  Resolved: 30/Aug/17

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.2.4
Fix Version/s: 3.5.13

Type: Bug Priority: Major - P3
Reporter: Hannes Magnusson Assignee: ADAM Martin (Inactive)
Resolution: Done Votes: 0
Labels: neweng, platforms-interns-2017
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2017-07-10, Platforms 2017-07-31, Platforms 2017-08-21, Platforms 2017-09-11
Participants:

 Description   

mongo --ssl --sslCAFile tests/certificates/ca.pem --host /tmp/mongodb-27017.sock                                                                      
MongoDB shell version: 3.2.4
connecting to: /tmp/mongodb-27017.sock:27017/test
2016-04-11T13:08:44.614-0700 E NETWORK  [thread1] The server certificate does not match the host name /tmp/mongodb-27017.sock
2016-04-11T13:08:44.614-0700 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name /tmp/mongodb-27017.sock :
connect@src/mongo/shell/mongo.js:226:14

mongo --ssl --sslCAFile tests/certificates/ca.pem --host /tmp/mongodb-27017.sock --sslAllowInvalidHostnames
MongoDB shell version: 3.2.4
connecting to: /tmp/mongodb-27017.sock:27017/test
2016-04-11T13:12:22.648-0700 W NETWORK  [thread1] The server certificate does not match the host name /tmp/mongodb-27017.sock
Server has startup warnings: 

Since Unix Domain Sockets are a different beast and it doesn't make any sense to do hostname verification.



 Comments   
Comment by Githook User [ 30/Aug/17 ]

Author:

{'name': 'ADAM David Alan Martin', 'username': 'adamlsd', 'email': 'adam.martin@10gen.com'}

Message: SERVER-23645 Unix socket certificate name mismatch is now a warning

Because Unix Domain Sockets are indicated by path, we can easily distinguish
when we are likely to create them. Certificate mismatches on name for such
sockets become warnings, instead of connection failures.
Branch: master
https://github.com/mongodb/mongo/commit/9316f09c434c62a2280cf50d08cb41a88e923deb

Comment by Githook User [ 18/Aug/17 ]

Author:

{'username': 'adamlsd', 'email': 'adam.martin@10gen.com', 'name': 'ADAM David Alan Martin'}

Message: Revert "SERVER-23645 Unix socket certificate name mismatch is now a warning"

This reverts commit c5b7415b7d1a314dd7f4f1143bc5b354894183c0.
Branch: master
https://github.com/mongodb/mongo/commit/f87acd46f9445939e3c8e0531380a7870eff2b1f

Comment by Githook User [ 18/Aug/17 ]

Author:

{'username': 'adamlsd', 'email': 'adam.martin@10gen.com', 'name': 'ADAM David Alan Martin'}

Message: SERVER-23645 Unix socket certificate name mismatch is now a warning

Because Unix Domain Sockets are indicated by path, we can easily distinguish
when we are likely to create them. Certificate mismatches on name for such
sockets become warnings, instead of connection failures.
Branch: master
https://github.com/mongodb/mongo/commit/c5b7415b7d1a314dd7f4f1143bc5b354894183c0

Generated at Thu Feb 08 04:04:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.