[SERVER-38424] Use / respect allowInvalidHostnames flag when acting as a kmip client Created: 05/Dec/18 Updated: 11/Dec/18 Resolved: 11/Dec/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | New Feature | Priority: | Major - P3 |
| Reporter: | Kyle | Assignee: | Spencer Jackson |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Sprint: | Security 2018-12-17 |
| Participants: |
| Description |
|
It appears that when establishing an SSL connection to a KMIP server mongo does certifiname host name matching regardless of whether the allowInvalidHostnames flag is set. Is it possible to respect that flag for this scenario or to include a different flag specific to KMIP? |
| Comments |
| Comment by Spencer Jackson [ 11/Dec/18 ] |
|
Hi kyle. You are correct, the net.ssl configuration parameters do not impact connections made to the KMIP server. There is currently no way to disable hostname validation for KMIP, and there are currently no plans to introduce that functionality because of the security sensitive nature of the KMIP protocol. As such, I am going to mark this ticket as "closed" for the time being, though it can be reopened in the future. There are likely ways that your environment can be configured which will allow successful hostname validation. I recommend opening a support ticket to discuss your exact situation. |