[SERVER-43739] SNI name is not set on OSX if allowInvalidHostnames is enabled Created: 30/Sep/19 Updated: 29/Oct/23 Resolved: 13/Apr/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 4.4.0-rc2, 4.7.0, 4.2.12 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Adam Cooper (Inactive) | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Backwards Compatibility: | Minor Change | ||||
| Operating System: | ALL | ||||
| Backport Requested: |
v4.4, v4.2
|
||||
| Steps To Reproduce: |
|
||||
| Sprint: | Security 2020-04-06, Security 2020-04-20 | ||||
| Participants: | |||||
| Description |
|
Because of the way Apple's TLS library works, we have no direct way of manually setting or disabling the TLS SNI extension separately from the PeerDomainName in our usage of SSLSetPeerDomainName. Because of this, Apple's TLS library will naively advertise an IP address as an SNI name if it is provided as the PeerDomainName. This is against the TLS spec per RFC 6066, Section 3. We removed the advertisement of IP addresses in the SNI extension in However, when allowInvalidHostnames is enabled, the PeerDomainName is cleared, and SNI is not advertised, which causes test failure and potentially confusion for anything that needs to use the SNI for whatever reason. |
| Comments |
| Comment by Githook User [ 12/Jan/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit ca6f181a96dcb51c159d53062866c31bb62a1b53) |
| Comment by Githook User [ 20/Apr/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit ca6f181a96dcb51c159d53062866c31bb62a1b53) |
| Comment by Githook User [ 13/Apr/20 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |