[SERVER-36669] IP address hostnames are matched against DNS subjectAltNames Created: 14/Aug/18 Updated: 06/Dec/22 |
|
| Status: | Backlog |
| Project: | Core Server |
| Component/s: | Shell |
| Affects Version/s: | 4.0.1 |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Shane Harvey | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | former-quick-wins | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||
| Participants: | |||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Description |
|
In
However the mongo shell can still connect:
PyMongo fails hostname matching to such a server because the hostname, 127.0.0.1, is an IP address and therefor is only compared to iPAddress subjectAltName. As far as I can tell PyMongo (and CPython) are following the relevant RFCs with respect to IP address matching. From RFC 2818
From RFC 6125 :
So I think the mongo shell is performing non-standard subject alt name comparisons between IP addresses and DNS subjectAltNames. |
| Comments |
| Comment by Spencer Jackson [ 04/Oct/18 ] | |||||||||||||||||||||||||||||||||
|
I think this ticket has to be done after we've added support for the IP address SAN type. We probably need at least a release with that functionality before we can start restricting this. | |||||||||||||||||||||||||||||||||
| Comment by David Cossey [ 15/Aug/18 ] | |||||||||||||||||||||||||||||||||
|
I went back and checked the original Security Certificate. It appears the Common Name for the original Certificate was set to '127.0.0.1'. They did not have our server name set as the Common Name in the original Certificate. Therefore, Mongo Shell and Robo 3T were connecting with the wildcard altName inside the Domain and outside the Domain, somehow Mongo Shell and Robo 3T were matching '127.0.0.1' from the Common Name in the Certificate or from altName DNS. See Below: Original Certificate:
New Certificate:
Not sure how Mongo Shell and Robo 3T were able to match '127.0.0.1' from the Common Name or altName DNS of the original certificate, but that appears to be what happened. Having the Security Certificate setup properly seems to throw Mongo Shell and Robo 3T for a loop though. Attempt to connect with new properly set x509 SSL Certificate:
|