[SERVER-36895] Test for SAN type "IP Address" in OpenSSL/SecureTransport TLS providers Created: 27/Aug/18 Updated: 29/Oct/23 Resolved: 08/Oct/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.1.4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sara Golemon | Assignee: | Shreyas Kalyan |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||||||||||
| Backport Requested: |
v4.0
|
||||||||||||||||||||||||||||||||||||
| Sprint: | Security 2018-09-10, Security 2018-09-24, Security 2018-10-08, Security 2018-10-22 | ||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||||||||||||||||||||||
| Description |
|
We currently only consider "DNS Name" SANs (Subject Alternate Name) on clients when comparing the intended hostname with the one actually presented. OpenSSL: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_openssl.cpp#L1364 These name comparators should attempt to match IP address as well. Case : If there is an IP address in the SAN field that is flagged with DNS Name instead of IP Address, then allow it and compare as an IP address, but flag the user with a warning upon startup of the console. |
| Comments |
| Comment by Githook User [ 08/Oct/18 ] |
|
Author: {'name': 'Shreyas Kalyan', 'email': 'shreyaskalyan@gmail.com', 'username': 'shreyaskal'}Message: |