[SERVER-34278] After Mongo Upgrade: The server certificate does not match the host name on valid wildcard cert Created: 03/Apr/18  Updated: 27/Oct/23  Resolved: 19/Apr/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Konstantin Ivanov Assignee: Backlog - Triage Team
Resolution: Works as Designed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Triage
Participants:

 Description   

I have a valid wildcard cert (e.g. *.domain.com), signed from a CA. Once I upgraded Mongo from 2.6.12 to 3.0.15 trying to connect with the mongo client I get:

$ mongo --ssl --host hostname.other.other.domain.com --sslCAFile /etc/ssl/certs/mongodb-ca-certificates.crt --sslPEMKeyFile /etc/ssl/certs/mongodb.pem
MongoDB shell version: 3.0.15
connecting to: hostname.other.other.domain.com:27017/test
2018-04-03T15:23:59.622+0000 E NETWORK  The server certificate does not match the host name hostname.other.other.domain.com
2018-04-03T15:23:59.623+0000 E QUERY    Error: socket exception [CONNECT_ERROR] for
    at connect (src/mongo/shell/mongo.js:181:14)
    at (connect):1:6 at src/mongo/shell/mongo.js:181
exception: connect failed

The only thing that changed is the Mongo version. Any suggestions to why this is not working ?
The cert and the CA match and validate fine with openssl (The domain name above is just an example)



 Comments   
Comment by Ramon Fernandez Marina [ 19/Apr/18 ]

Further information from a colleague:

I believe there was a change in behavior from SERVER-14861. In 2.6, a client would compare the hostname it connected to against the CN and any subject alternative names it found on the certificate. In 3.0, it would compare against only the subject alternative names if any were present. This was to improve our compliance with rfc2818.

Comment by Konstantin Ivanov [ 09/Apr/18 ]

Yes, indeed that was the issue, Thanks for confirming.

Comment by Kenneth White [ 09/Apr/18 ]

Agree. Might be worth verifying exactly what the Subject Name (common domain name) and SANs show when connecting (host or IP will work here for the mongod name). Here's a variant of an easy one-liner (works on Linux, not sure about Mac):

echo|openssl s_client -connect example.mongodb.net:27017 2>&1 | openssl x509 -noout -text | grep -A1 -i 'Subject:\|Alternative Name'

Comment by Konstantin Ivanov [ 03/Apr/18 ]

Is this because the hostname validation is now strictly enforced when specifying the CA file and the wildcard cert cannot validate nor cover the hostname that has multiple levels ?

Generated at Thu Feb 08 04:36:07 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.