[SERVER-43739] SNI name is not set on OSX if allowInvalidHostnames is enabled Created: 30/Sep/19  Updated: 29/Oct/23  Resolved: 13/Apr/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.4.0-rc2, 4.7.0, 4.2.12

Type: Bug Priority: Major - P3
Reporter: Adam Cooper (Inactive) Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File image-2019-09-30-18-06-28-034.png     PNG File image-2019-09-30-18-09-00-190.png    
Issue Links:
Backports
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Requested:
v4.4, v4.2
Steps To Reproduce:

./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem --tlsAllowInvalidHostnames local.10gen.cc

./mongo --tls --tlsCAFile jstests/libs/ca.pem --tlsCertificateKeyFile jstests/libs/client.pem local.10gen.cc

Sprint: Security 2020-04-06, Security 2020-04-20
Participants:

 Description   

Because of the way Apple's TLS library works, we have no direct way of manually setting or disabling the TLS SNI extension separately from the PeerDomainName in our usage of SSLSetPeerDomainName.

Because of this, Apple's TLS library will naively advertise an IP address as an SNI name if it is provided as the PeerDomainName. This is against the TLS spec per RFC 6066, Section 3. We removed the advertisement of IP addresses in the SNI extension in SERVER-42287 and SERVER-43234.

However, when allowInvalidHostnames is enabled, the PeerDomainName is cleared, and SNI is not advertised, which causes test failure and potentially confusion for anything that needs to use the SNI for whatever reason.



 Comments   
Comment by Githook User [ 12/Jan/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43739 Always send SNI regardless of allowInvalidHost and setup proper policy for validation

(cherry picked from commit ca6f181a96dcb51c159d53062866c31bb62a1b53)
Branch: v4.2
https://github.com/mongodb/mongo/commit/425a5ff8f6a4566aa17a2b25875a1cb12037c797

Comment by Githook User [ 20/Apr/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43739 Always send SNI regardless of allowInvalidHost and setup proper policy for validation

(cherry picked from commit ca6f181a96dcb51c159d53062866c31bb62a1b53)
Branch: v4.4
https://github.com/mongodb/mongo/commit/bacd09f7a789410dbea15c7ea7f405988a4b8070

Comment by Githook User [ 13/Apr/20 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-43739 Always send SNI regardless of allowInvalidHost and setup proper policy for validation
Branch: master
https://github.com/mongodb/mongo/commit/ca6f181a96dcb51c159d53062866c31bb62a1b53

Generated at Thu Feb 08 05:03:58 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.