[SERVER-31965] Mongo Shell does not handle FQDN from SRV target values correctly Created: 14/Nov/17  Updated: 30/Oct/23  Resolved: 28/Nov/17

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: 3.6.0-rc7, 3.7.1

Type: Bug Priority: Critical - P2
Reporter: Marko Vojvodic Assignee: ADAM Martin (Inactive)
Resolution: Fixed Votes: 0
Labels: bkp
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
related to CDRIVER-3043 valid_hostname() should not rejects s... Closed
related to DRIVERS-2057 Determine how drivers should handle t... Backlog
is related to SERVER-31061 Make Mongo Shell handle `mongodb+srv:... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v3.6
Sprint: Platforms 2017-12-04
Participants:

 Description   

As part of CLOUDP-25143, I am adding SRV support to Atlas. When creating an SRV record on AWS Route 53, the record looks as follows:

marko$ dig SRV _mongodb._tcp.marko-40x3z.mmscloudteam.com
 
; <<>> DiG 9.8.3-P1 <<>> SRV _mongodb._tcp.marko-40x3z.mmscloudteam.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19290
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;_mongodb._tcp.marko-40x3z.mmscloudteam.com. IN SRV
 
;; ANSWER SECTION:
_mongodb._tcp.marko-40x3z.mmscloudteam.com. 59 IN SRV 0 0 27017 marko-shard-00-00-40x3z.mmscloudteam.com.
_mongodb._tcp.marko-40x3z.mmscloudteam.com. 59 IN SRV 0 0 27017 marko-shard-00-01-40x3z.mmscloudteam.com.
_mongodb._tcp.marko-40x3z.mmscloudteam.com. 59 IN SRV 0 0 27017 marko-shard-00-02-40x3z.mmscloudteam.com.
_mongodb._tcp.marko-40x3z.mmscloudteam.com. 59 IN SRV 0 0 27017 marko-shard-00-03-40x3z.mmscloudteam.com.

When the shell builds the URI connection string from the target values of the SRV record, it appears as if it is not accounting for the trailing dot from the fully qualified domain names in the target DNS records:

marko$ ./mongo "mongodb+srv://marko-40x3z.mmscloudteam.com/test" --username marko --password 
MongoDB shell version v3.6.0-rc3
Enter password: 
connecting to: mongodb+srv://marko-40x3z.mmscloudteam.com/test
2017-11-14T11:55:57.657-0500 I NETWORK  [thread1] Starting new replica set monitor for marko-shard-0/marko-shard-00-00-40x3z.mmscloudteam.com.:27017,marko-shard-00-01-40x3z.mmscloudteam.com.:27017,marko-shard-00-02-40x3z.mmscloudteam.com.:27017,marko-shard-00-03-40x3z.mmscloudteam.com.:27017                                                                     
2017-11-14T11:55:57.820-0500 E NETWORK  [ReplicaSetMonitor-TaskExecutor-0] The server certificate does not match the host name. Hostname: marko-shard-00-03-40x3z.mmscloudteam.com. does not match SAN(s): *.mmscloudteam.com mmscloudteam.com 

We should remove the trailing dot from fully qualified domain names when parsing the target values for the DNS records.



 Comments   
Comment by Githook User [ 28/Nov/17 ]

Author:

{'name': 'ADAM David Alan Martin', 'username': 'adamlsd', 'email': 'adam.martin@10gen.com'}

Message: SERVER-31965 Fix lint

(cherry picked from commit e76d1aa49891d48db5db546043f94bdcc9932414)
Branch: v3.6
https://github.com/mongodb/mongo/commit/a7c94eeb904473b4bbb568ca44f52676f805fc4f

Comment by Githook User [ 28/Nov/17 ]

Author:

{'name': 'ADAM David Alan Martin', 'username': 'adamlsd', 'email': 'adam.martin@10gen.com'}

Message: SERVER-31965 Fix lint
Branch: master
https://github.com/mongodb/mongo/commit/e76d1aa49891d48db5db546043f94bdcc9932414

Comment by Githook User [ 28/Nov/17 ]

Author:

{'name': 'ADAM David Alan Martin', 'username': 'adamlsd', 'email': 'adam.martin@10gen.com'}

Message: SERVER-31965 Correctly handle certificates for SRV URIs

The hostname provided by SRV records is a canonicalized FQDN ending
in a '.' character. X.509 certificates use a canonical hostname
with the trailing '.' removed. The comparison between these two
forms needs to strip all trailing '.' characters. This is
considered safe in all cases, as a DNS spoofing attack would still
require forging or obtaining a certificate with a canonicalized name
to make a redirection work.

(cherry picked from commit c2d309d23cf918e1ded8fc241a1c2108dd0e31d3)
Branch: v3.6
https://github.com/mongodb/mongo/commit/0f9abcc467c1d07fa5571c72331a7567a7e974ef

Comment by Githook User [ 28/Nov/17 ]

Author:

{'name': 'ADAM David Alan Martin', 'username': 'adamlsd', 'email': 'adam.martin@10gen.com'}

Message: SERVER-31965 Correctly handle certificates for SRV URIs

The hostname provided by SRV records is a canonicalized FQDN ending
in a '.' character. X.509 certificates use a canonical hostname
with the trailing '.' removed. The comparison between these two
forms needs to strip all trailing '.' characters. This is
considered safe in all cases, as a DNS spoofing attack would still
require forging or obtaining a certificate with a canonicalized name
to make a redirection work.
Branch: master
https://github.com/mongodb/mongo/commit/c2d309d23cf918e1ded8fc241a1c2108dd0e31d3

Comment by Spencer Jackson [ 21/Nov/17 ]

The relevant code is located here: https://github.com/mongodb/mongo/blob/master/src/mongo/util/net/ssl_manager.cpp#L1318

Generated at Thu Feb 08 04:28:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.