[SERVER-37370] Improve CN/SAN mismatch error message Created: 28/Sep/18  Updated: 29/Oct/23  Resolved: 17/Apr/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.1.11

Type: Improvement Priority: Minor - P4
Reporter: Sara Golemon Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: Security 2019-04-22
Participants:

 Description   

While DWSing SERVER-37296, the external user discovered the error was in his configuration, but that our documentation was kinda buried in a seemingly unrelated section, and our error message wasn't descriptive enough to explain what was going on.

Specifically, he was using a cert with a correctly matching commonName, but with additional subjectAlternateName entries which did not match the target host.

The error message helpfully says that it attempted to match against the SANs, but doesn't mention that the CN was/wasn't tried, or if it would have matched had it been tried.

2018-09-17T17:36:50.040+0800 E STORAGE [initandlisten] Unable to retrieve key .system, error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name. Hostname: [example.com] does not match SAN(s): example.net, example.org

I'd suggest that, if this error message is being output, we also do a test on commonName, and if it would have matched, we include a comment to the effect of: "CN would have matched, however it has been overridden by the SAN field". If the CN doesn't match either, then we (possibly) append it to the error message just to help end-users identify the certificate being used.



 Comments   
Comment by Githook User [ 17/Apr/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-37370 Improve CN/SAN mismatch error message
Branch: master
https://github.com/mongodb/mongo/commit/ed0939a343ac78527e2633301b68f52721f93d0a

Generated at Thu Feb 08 04:45:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.