[SERVER-38424] Use / respect allowInvalidHostnames flag when acting as a kmip client Created: 05/Dec/18  Updated: 11/Dec/18  Resolved: 11/Dec/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: New Feature Priority: Major - P3
Reporter: Kyle Assignee: Spencer Jackson
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Security 2018-12-17
Participants:

 Description   

It appears that when establishing an SSL connection to a KMIP server mongo does certifiname host name matching regardless of whether the allowInvalidHostnames flag is set. Is it possible to respect that flag for this scenario or to include a different flag specific to KMIP?



 Comments   
Comment by Spencer Jackson [ 11/Dec/18 ]

Hi kyle. You are correct, the net.ssl configuration parameters do not impact connections made to the KMIP server. There is currently no way to disable hostname validation for KMIP, and there are currently no plans to introduce that functionality because of the security sensitive nature of the KMIP protocol. As such, I am going to mark this ticket as "closed" for the time being, though it can be reopened in the future.

There are likely ways that your environment can be configured which will allow successful hostname validation. I recommend opening a support ticket to discuss your exact situation.

Generated at Thu Feb 08 04:48:55 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.