[SERVER-36895] Test for SAN type "IP Address" in OpenSSL/SecureTransport TLS providers Created: 27/Aug/18  Updated: 29/Oct/23  Resolved: 08/Oct/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.1.4

Type: Bug Priority: Major - P3
Reporter: Sara Golemon Assignee: Shreyas Kalyan
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Documented
is documented by DOCS-12126 Docs for SERVER-36895: Test for SAN t... Closed
Duplicate
is duplicated by SERVER-24591 Support hostname validation with IP a... Closed
Gantt Dependency
has to be done before SERVER-36669 IP address hostnames are matched agai... Backlog
Related
is related to SERVER-24591 Support hostname validation with IP a... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.0
Sprint: Security 2018-09-10, Security 2018-09-24, Security 2018-10-08, Security 2018-10-22
Participants:
Case:

 Description   

We currently only consider "DNS Name" SANs (Subject Alternate Name) on clients when comparing the intended hostname with the one actually presented.

OpenSSL: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_openssl.cpp#L1364
SecureTransport: https://github.com/mongodb/mongo/blob/2145028db135b539c51713acad6952ef36e646cf/src/mongo/util/net/ssl_manager_apple.cpp#L489

These name comparators should attempt to match IP address as well.

Case : If there is an IP address in the SAN field that is flagged with DNS Name instead of IP Address, then allow it and compare as an IP address, but flag the user with a warning upon startup of the console. 



 Comments   
Comment by Githook User [ 08/Oct/18 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyaskalyan@gmail.com', 'username': 'shreyaskal'}

Message: SERVER-36895 updated SAN recognition for IP addresses on Mac and OpenSSL
Branch: master
https://github.com/mongodb/mongo/commit/22f97156ab99272bb144fdbd43b9c33a4387451a

Generated at Thu Feb 08 04:44:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.