[SERVER-24533] SSL mode does not seem to work with IPs instead of hostnames Created: 13/Jun/16  Updated: 14/Jul/16  Resolved: 13/Jun/16

Status: Closed
Project: Core Server
Component/s: Admin, Security
Affects Version/s: 3.2.7
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Michal Kralik Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Participants:

 Description   

We're running v3.2.7 in three member replica configuration.
The config uses IPs instead of hostnames, e.g.:

rs.conf()
{
        "_id" : "eusbg1",
        "version" : 4,
        "protocolVersion" : NumberLong(1),
        "members" : [
                {
                        "_id" : 0,
                        "host" : "167.114.255.189:27017",
                        "arbiterOnly" : false,
                        "buildIndexes" : true,
                        "hidden" : false,
                        "priority" : 1,
                        "tags" : {
 
                        },
                        "slaveDelay" : NumberLong(0),
                        "votes" : 1
                },
...

The config on one of the nodes is as following:

...
net:
   port: 27017
   ssl:
      mode: allowSSL
      PEMKeyFile: /etc/mongod/member.pem
      CAFile: /etc/mongod/ca.pem
...

When trying to connect to this member via

mongo --ssl --sslCAFile ca.pem --host 4.4.4.4 admin -u user -p

We get the following error:

The server certificate does not match the host name 4.4.4.4

The certificate is configured as follows:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3d:11:10:7d:d8:0c:82:ba:a2:01:f5:d8:a9:26:3a:29:9e:88:10:04
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=SK, ST=SK, L=Bratislava, CN=*
        Validity
            Not Before: Jun 13 15:22:00 2016 GMT
            Not After : May 20 15:22:00 2116 GMT
        Subject: C=SK, ST=SK, L=Bratislava, CN=*
...

It appears that mongo client should connect without any issues since the CN=*, but mongo client throws an error about invalid hostname.



 Comments   
Comment by Michal Kralik [ 15/Jun/16 ]

No problem. Thanks for the info.

Comment by Andreas Nilsson [ 15/Jun/16 ]

Hi,

apologies it looks like you are right, SAN IP addresses are not supported n our current TLS stack. I have filed SERVER-24591. In the meantime you could try to put the IP address as a DNS name in the SAN, it's a possible workaround.

Thanks,
Andreas

Comment by Michal Kralik [ 14/Jun/16 ]

The problem appears to be in SAN.
This certificate works fine (CN=*.my.dev, no SAN):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            61:19:da:c5:20:c5:d2:b1:3b:36:55:8d:2e:f2:0d:6a:b4:68:89:3a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=San Francisco, CN=example.net
        Validity
            Not Before: Jun 14 11:16:00 2016 GMT
            Not After : Jun 14 11:16:00 2017 GMT
        Subject: C=US, ST=CA, L=San Francisco, CN=*.my.dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c1:cd:d2:b1:fb:f6:8a:30:ce:29:a8:95:cf:44:
                    f3:d0:35:56:e4:4e:a7:23:bf:2d:1b:f1:91:4e:7b:
                    4e:c5:40:1c:e8:4e:05:73:76:99:b1:70:e6:a4:6e:
                    bb:1b:71:16:75:9f:3e:c4:27:eb:f0:95:cc:f8:10:
                    c9:2b:0f:14:a9:e0:83:75:f9:37:04:17:22:5d:c0:
                    c8:a3:de:7f:1b:00:b7:45:f4:91:05:8e:bd:94:d8:
                    52:0a:b5:9a:fd:ee:80:58:ed:45:fe:43:33:bd:e4:
                    1f:67:0f:03:0e:5d:fd:ff:0b:42:e3:9f:2a:c9:27:
                    8c:64:5c:e9:e6:23:8f:15:31:60:4e:85:b1:2a:6a:
                    5a:73:74:15:cb:71:9a:3a:27:20:62:34:e1:f8:01:
                    c5:4f:4c:46:39:a3:d2:1a:c7:2b:30:ed:d2:0a:5d:
                    b9:84:9a:76:a6:b5:47:fb:fc:9d:53:b0:9d:d7:e7:
                    a2:ab:fc:83:bc:79:ea:15:49:e4:46:d9:47:f5:07:
                    fd:ad:c1:25:ca:ff:19:4f:72:b1:c9:fa:f1:aa:2d:
                    e4:88:c9:e7:36:c5:76:67:44:08:42:5f:81:2b:db:
                    a3:67:c6:f8:8f:2b:bc:9c:55:fe:b8:3a:1f:2c:f1:
                    d2:b8:8c:a1:12:38:7e:00:6a:3a:e3:d2:04:fd:9d:
                    09:e7
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                04:90:37:27:DF:6D:1A:CF:C3:F9:B6:79:2C:4C:F6:67:B6:A0:FF:55
            X509v3 Authority Key Identifier:
                keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF
 
    Signature Algorithm: sha256WithRSAEncryption
         8a:b4:b5:6e:47:89:36:c7:e0:5e:fc:cb:39:6e:e1:f2:72:81:
         35:e4:1f:bf:3e:60:cb:f4:cb:9f:45:6f:e1:dd:91:ec:5c:28:
         78:75:68:35:cd:92:03:59:b6:da:63:05:56:78:71:3f:59:cc:
         9a:8f:76:97:4a:bf:e0:f5:81:f7:f7:2d:af:6e:ea:37:e4:87:
         cb:39:ac:6c:17:1e:88:e5:8f:1a:79:21:f0:b4:eb:3a:bc:e5:
         10:40:89:02:f6:f0:17:a3:00:9a:83:67:17:ca:74:88:65:06:
         f8:b5:d1:0e:78:5f:6c:bd:c6:45:81:51:d0:07:d3:fb:da:28:
         b6:c8:6a:c9:5a:81:42:55:01:23:e2:19:84:41:6d:d6:7e:de:
         05:6d:e5:fe:58:92:d6:bb:de:a6:17:a4:a9:bb:0a:b3:e1:6b:
         5f:61:ff:3a:87:eb:19:6c:e7:60:75:d2:02:b0:0a:ca:5f:5f:
         1a:58:57:e0:78:ab:02:1b:e6:32:31:dc:20:63:9e:88:2b:68:
         11:74:ae:61:0e:58:32:c1:d9:1e:c1:6f:cb:37:06:65:bf:24:
         e0:70:54:be:5a:da:5d:de:de:f7:5d:84:ca:dd:76:c0:58:1a:
         3c:bf:68:a0:eb:b9:9f:06:9e:51:a7:4b:96:f4:58:09:ee:cd:
         d8:45:2e:bd

While this (CN=*.my.dev, SAN=127.0.0.1) does not work and throws invalid hostname error:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            60:20:f2:35:39:d1:2d:ab:2b:1f:6b:b6:6c:d6:d7:9e:dc:07:fe:45
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=San Francisco, CN=example.net
        Validity
            Not Before: Jun 14 11:16:00 2016 GMT
            Not After : Jun 14 11:16:00 2017 GMT
        Subject: C=US, ST=CA, L=San Francisco, CN=*.my.dev
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:f8:5b:ab:9a:34:ca:87:2b:ab:a1:41:47:47:83:
                    ff:9f:99:3d:7e:4f:29:79:0e:15:41:74:bc:aa:6c:
                    49:75:c8:3e:7c:33:d7:7d:68:33:24:dd:f9:b4:f1:
                    21:af:5b:5e:67:8f:e6:6f:d0:92:a6:8b:57:8b:2a:
                    36:6e:45:19:aa:4e:ca:c0:ab:e1:54:cb:75:a8:55:
                    90:a3:fa:7b:78:f9:2c:39:9e:85:f8:5e:bc:8c:fc:
                    d2:84:9f:b3:56:4b:fc:40:5b:f1:48:58:05:3d:d4:
                    0b:04:0f:c3:7b:d5:57:5c:35:65:86:96:fb:25:7d:
                    47:f0:be:9b:c0:ac:64:81:dc:95:ba:c1:8a:66:33:
                    44:3d:f5:da:19:94:aa:ab:7d:6b:81:b8:aa:fe:bd:
                    aa:f3:e3:e9:eb:cc:95:64:be:4b:52:c7:b6:bd:48:
                    d2:f6:9b:33:c9:a7:27:5c:c0:37:9f:4c:4a:0f:42:
                    52:1b:50:92:f5:9a:ee:dd:12:c1:17:1b:55:7f:76:
                    78:28:1f:85:85:3a:40:ec:b9:1a:c8:6c:e8:7a:43:
                    2e:3a:e9:ca:5d:89:d7:7e:f2:b9:b2:45:5b:f2:86:
                    bd:20:74:b0:88:24:54:bd:2a:e5:9d:41:59:2d:61:
                    c5:16:c5:59:c9:40:f6:f4:57:d5:42:18:c3:88:a2:
                    b4:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                A7:E1:A6:A5:43:87:F4:43:B2:44:36:F0:B7:EA:3B:54:95:A4:43:14
            X509v3 Authority Key Identifier:
                keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF
 
            X509v3 Subject Alternative Name:
                IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         00:1d:f5:df:95:5c:9d:af:11:87:ba:29:a9:67:26:76:c1:23:
         8a:84:e5:b0:4f:2e:82:4f:32:b9:2b:23:9c:fa:a1:cb:bd:f6:
         e9:cc:c8:16:20:d6:c1:4c:6c:59:da:36:d8:47:75:e0:b9:7e:
         2d:30:81:5c:b3:23:81:94:cc:bc:84:48:b5:63:b4:97:bc:fc:
         46:69:44:c2:69:5c:06:0a:68:33:1e:ae:8e:98:4f:c1:b6:f3:
         16:78:db:cb:4a:0f:e0:e3:d0:4e:a5:f9:58:86:90:f7:e0:46:
         9c:14:f5:45:6c:36:f7:45:68:9c:62:92:a7:e6:21:13:c5:ad:
         ad:71:08:cf:2a:68:24:19:5b:15:ec:8b:1d:6e:4b:5b:d9:0e:
         cb:6f:99:4f:fc:98:7a:73:16:16:06:cc:33:d6:4c:62:db:2b:
         95:fc:86:8a:fe:cf:75:f9:ec:26:49:e1:38:e2:e2:a5:b0:fe:
         c2:6c:dd:83:d5:d3:cc:3b:4b:10:26:97:a3:28:2c:c6:d0:b6:
         92:24:c1:70:24:98:c1:13:a3:d3:0b:c6:09:35:16:39:a1:2f:
         b3:95:b4:7d:3e:23:74:aa:26:28:56:4f:9e:5d:a0:75:19:22:
         c0:e4:3e:ad:ff:f9:52:0b:ce:86:d5:5d:e6:61:80:0b:52:19:
         52:b5:b1:77

Comment by Michal Kralik [ 14/Jun/16 ]

There seems to be an issue with the IPs being used instead of hostnames. I have tried the following two certificates:

root@fec8b0301c6f:/go/tmp# openssl x509 -in member2.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            67:e1:e4:ae:04:4e:0c:ea:de:da:e1:11:87:1e:c5:ea:8b:3f:b8:99
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=San Francisco, CN=example.net
        Validity
            Not Before: Jun 14 09:23:00 2016 GMT
            Not After : Jun 14 09:23:00 2017 GMT
        Subject: C=US, ST=CA, L=San Francisco, CN=127.0.0.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d7:48:2d:11:2d:56:b5:f2:e0:2a:9b:7b:f4:ba:
                    d9:99:81:f7:de:c9:c4:bc:2c:9b:58:32:54:5d:bb:
                    3c:cb:9b:58:80:cc:2a:09:41:b2:06:d1:6a:97:5e:
                    6c:4f:5c:49:b5:2a:d3:26:5e:ad:08:49:a6:ad:66:
                    f3:41:47:21:8e:f4:1f:4b:e2:5a:ba:4d:5a:08:94:
                    c5:6f:6f:f6:06:1e:44:1c:6e:00:3a:0f:fe:a6:14:
                    66:13:fd:d2:67:ac:fe:fc:d5:60:98:9e:4b:e9:16:
                    3a:bb:d5:c7:b9:65:29:27:a8:26:c0:94:c3:65:3b:
                    3f:cf:92:6c:29:d1:96:0c:60:6d:f4:4b:08:93:1f:
                    8f:b8:d6:d6:c9:f2:3d:0f:00:fb:1e:be:e9:df:7e:
                    1c:ac:5e:b5:79:1a:a2:7b:e3:89:c4:cd:f2:00:ca:
                    ad:34:7d:d1:c0:ad:f2:82:68:35:8f:b4:de:3c:fd:
                    60:4d:23:2b:a7:12:34:72:9c:e7:07:9f:d3:bf:9d:
                    53:36:6b:81:31:28:95:54:36:09:da:3b:b6:46:43:
                    0e:6b:48:e6:f2:04:dd:fc:50:3e:bb:dd:68:8a:40:
                    84:17:74:c8:a4:c0:f9:12:ff:40:68:f5:6b:13:d7:
                    f7:73:f0:58:07:41:eb:e0:ec:11:5d:84:91:a1:28:
                    13:6f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                04:77:D7:DA:B9:17:8C:68:B7:CE:4E:83:C9:EF:B7:99:F3:BD:C7:BE
            X509v3 Authority Key Identifier:
                keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF
 
            X509v3 Subject Alternative Name:
                IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         23:fe:95:c0:3f:57:61:43:2d:95:72:3e:29:80:80:50:e2:d9:
         4c:bb:b5:52:1f:84:3e:b8:b3:f9:be:38:4c:f7:98:06:f7:28:
         bb:1b:ab:6c:0a:ff:5a:de:32:28:98:e3:e2:b0:5f:bb:64:33:
         9d:7b:d8:a8:10:2a:f6:05:78:6e:fa:2b:cf:06:0a:8f:b5:fc:
         a3:34:ee:fe:a8:cb:4d:9d:48:25:4f:4e:ad:e3:46:da:d0:e4:
         f5:72:c6:af:8a:0d:bf:1c:b4:0c:7b:04:c7:30:59:27:7d:9e:
         eb:6f:4b:4b:85:ac:5a:04:b4:dd:98:40:e8:a7:7f:18:82:8c:
         75:a5:90:74:7b:24:7f:b7:b4:e4:48:0d:27:d8:c6:49:90:77:
         7c:70:cf:bb:7a:18:9b:f4:5a:e9:91:8e:03:b0:6a:04:2e:79:
         8d:ec:87:e0:50:13:73:a6:46:3d:3e:4c:2a:d9:86:4d:3b:06:
         00:cd:f1:ab:f6:96:4f:d7:08:f3:58:04:34:a5:93:97:eb:7a:
         ff:0a:bd:28:54:ba:ee:79:1a:23:15:64:ea:12:9e:e8:3b:76:
         6d:1b:18:df:1d:71:d7:bd:4d:b5:8a:de:f6:16:90:1f:c1:04:
         ac:fa:db:f1:ce:5f:05:85:ca:31:9d:c3:6d:be:ea:1a:7f:2a:
         40:1d:6f:78
root@fec8b0301c6f:/go/tmp# openssl x509 -in member.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            5a:24:7f:b6:9a:e5:32:cb:00:e8:d2:03:56:a9:a1:b8:a0:00:26:34
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=CA, L=San Francisco, CN=example.net
        Validity
            Not Before: Jun 14 09:16:00 2016 GMT
            Not After : Jun 14 09:16:00 2017 GMT
        Subject: C=US, ST=CA, L=San Francisco, CN=example.net
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d8:e0:1e:7a:c4:d0:60:08:c3:47:59:ef:d7:f3:
                    59:e1:05:24:ab:4b:d9:64:03:5c:28:56:98:9f:68:
                    9c:96:7a:78:36:ab:57:07:36:0f:62:7f:12:19:1e:
                    78:00:04:04:bc:a6:33:44:10:12:5b:b8:cb:fa:ca:
                    5b:b0:62:35:78:04:26:86:f8:be:a8:40:f8:5e:50:
                    aa:98:5a:99:20:8c:94:80:61:ed:e1:80:c0:ac:5b:
                    e0:17:1e:64:b1:f6:c1:49:f7:5e:1e:34:52:5e:86:
                    50:a3:c1:72:4e:41:56:a2:6d:68:12:be:22:9b:6e:
                    3d:f4:42:50:2d:3c:c4:f4:42:a4:00:b9:87:48:e1:
                    51:ec:f4:d0:a5:73:02:49:f5:6a:1a:a2:a7:f1:d6:
                    30:af:a5:ea:2d:25:d8:5f:ad:0c:b0:fd:10:1f:b4:
                    fc:ae:a5:4e:cd:cd:09:d5:00:61:c1:df:cf:55:e1:
                    0b:fc:d3:4c:98:9e:81:92:f1:b7:73:ff:f6:44:d6:
                    c1:48:38:ec:94:05:bf:70:2e:91:b8:9c:72:bf:d0:
                    1f:cb:ce:70:5a:a2:df:1c:6b:55:b7:60:0b:6e:23:
                    fa:f1:e1:42:b1:d4:e4:ec:72:d0:8d:75:c7:79:f1:
                    a3:cc:c5:5e:32:98:d3:68:f8:2f:41:95:9a:33:06:
                    2e:99
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                73:E1:D1:69:1D:90:E2:53:1A:C2:26:7B:95:2F:6B:E6:2E:1A:4A:DF
            X509v3 Authority Key Identifier:
                keyid:02:2B:A7:22:09:BE:F0:4F:8F:6E:26:39:A8:2A:39:2E:A5:E2:01:EF
 
            X509v3 Subject Alternative Name:
                IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         4d:63:d1:d3:75:02:ad:ec:aa:33:9a:d4:63:3e:d2:a0:b6:fe:
         a4:58:84:22:e0:aa:94:c1:1a:62:79:59:ee:ce:79:0e:cc:f6:
         78:63:64:dd:57:81:07:61:92:82:15:99:74:c9:9e:81:12:a6:
         a2:aa:13:2e:79:14:83:f2:1f:98:43:00:aa:04:7d:29:8a:ba:
         d8:d5:41:59:6f:6f:e4:f4:41:ef:95:dc:12:a2:e8:60:0b:19:
         cd:0f:46:1c:31:b0:d1:80:90:76:46:c1:2a:0d:aa:74:b8:fa:
         07:f8:31:b4:99:d9:55:79:91:5c:b6:f0:73:e2:eb:d9:02:77:
         9f:4e:f2:21:19:53:39:a2:c1:5e:d9:9f:e1:39:0d:9c:e5:5b:
         d1:87:d5:58:93:31:ed:72:e4:39:ba:b2:ef:29:1e:ef:14:27:
         16:96:43:93:5d:e4:91:e2:26:61:bf:dc:b7:d4:bd:5c:70:7b:
         2e:65:04:ee:41:24:d1:bf:8e:c8:09:6d:5e:e1:3a:38:b4:e6:
         f4:4e:b8:b2:8e:c4:e9:cb:62:99:14:b5:3a:7f:f9:19:a7:b4:
         e8:14:a8:12:e5:b8:5a:29:ef:be:ab:cb:69:54:e0:bd:8b:f7:
         f9:4f:0a:40:0c:f4:a5:9c:1b:fa:9c:5a:e3:17:78:74:a6:22:
         ea:e5:68:82

Used this command to start MongoDB:

mongod --sslAllowConnectionsWithoutCertificates --sslAllowInvalidHostnames --sslMode allowSSL --sslPEMKeyFile D:\apps\member.pem --sslCAFile D:\apps\ca.pem

And this to connect:

mongo --ssl --sslCAFile D:\apps\ca.pem 127.0.0.1

But still get error about invalid hostname

E NETWORK  [thread1] The server certificate does not match the host name 127.0.0.1

Using --sslAllowInvalidHostnames with mongo client helps, but still shows a warning that the hostname does not match.

W NETWORK  [thread1] The server certificate does not match the host name 127.0.0.1

Comment by Andreas Nilsson [ 13/Jun/16 ]

Ok, you can also try to set another CN that technically valid according to the spec together with the IP address.

Good luck!

Comment by Michal Kralik [ 13/Jun/16 ]

Thank you andreas.nilsson for your reply.
The IP address has been in the SAN field of the certificate and it threw the error either way. We'll try the --sslAllowInvalidHostnames though.

Comment by Ramon Fernandez Marina [ 13/Jun/16 ]

ceecko@gmail.com, as per Andreas' explanation it seems there's no bug in the server, so I'm going to close this ticket since the SERVER project is for reporting bugs or feature suggestions for MongoDB.

For MongoDB-related support discussion please post on the mongodb-user group or Stack Overflow with the mongodb tag, where your question will reach a larger audience. A question like this involving more discussion would be best posted on the mongodb-user group. See also our Technical Support page for additional support resources.

Thanks,
Ramón.

Comment by Andreas Nilsson [ 13/Jun/16 ]

Hi,

Using a wildcard CN=* is not supported in SSL/TLS certificates per the standard, you will need to use *.mydomain.tld. If your organization doesn't care about hostname matching you can also start the server with the flag --sslAllowInvalidHostnames which is semantically equivalent to using CN=*.

If you want to use IP addresses for hostname matching I would recommend adding them to the SAN field of the certificate.

Kind regards,
Andreas Nilsson

Generated at Thu Feb 08 04:06:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.