[SERVER-50736] Make OpenSSL explicitly accept SNIs presented in ClientHello Created: 02/Sep/20  Updated: 29/Oct/23  Resolved: 11/Sep/20

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: None
Fix Version/s: 4.8.0, 4.4.2, 4.2.11, 4.0.21, 3.6.21

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Duplicate
is duplicated by SERVER-50436 MongoDB split horizons doesn't seem w... Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v4.7, v4.4, v4.2, v4.0, v3.6
Sprint: Security 2020-09-21
Participants:

 Description   

It appears the OS X shell can provide Session IDs in its TLS 1.2 handshake, which enable session resumption. This might interact with the server's understanding of SNIs.

OpenSSL's SSL_get_servername method extracts the SNI for us, and is defined by the documentation to behave thus:

On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption did not occur

The function will return the servername requested by the client in this handshake or NULL if none was requested.

So, after accepting a connection attempt, SSL_get_servername will return the name the client requested. But later:

On the server, after the servername extension has been processed and a TLSv1.2 (or below) resumption occurred

If a servername was accepted by the server in the original handshake then it will return that servername, or NULL otherwise.

This means that OpenSSL ignores the second connection attempt's advertised SNI, in favor of the original... if the original connection's SNI was "accepted". SNIs can be accepted in an application provided callback, which we don't set. We probably need to define a callback to accept the client's SNI, so that we consistently see an SNI across all connections, whether or not they are resumed.

This can be done by using the SSL_CTX_set_tlsext_servername_callback function.



 Comments   
Comment by Githook User [ 14/Oct/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-50736 Make OpenSSL explicitly accept SNIs

(cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014)
(cherry picked from commit 8351c3e077e7578e7a9a2b20399829df0238cc3f)
(cherry picked from commit 9e252edecf6d934bbce6ae39638fc066f37120e6)
(cherry picked from commit ae595c7a7845271b88f6969dd2100435cdc760b7)
Branch: v3.6
https://github.com/mongodb/mongo/commit/d881b2b32dda7389e99efd40e4a96e34de082281

Comment by Githook User [ 30/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-50736 Make OpenSSL explicitly accept SNIs

(cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014)
(cherry picked from commit 8351c3e077e7578e7a9a2b20399829df0238cc3f)
(cherry picked from commit 9e252edecf6d934bbce6ae39638fc066f37120e6)
Branch: v4.0
https://github.com/mongodb/mongo/commit/ae595c7a7845271b88f6969dd2100435cdc760b7

Comment by Githook User [ 30/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-50736 Make OpenSSL explicitly accept SNIs

(cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014)
(cherry picked from commit 8351c3e077e7578e7a9a2b20399829df0238cc3f)
Branch: v4.2
https://github.com/mongodb/mongo/commit/9e252edecf6d934bbce6ae39638fc066f37120e6

Comment by Githook User [ 17/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-50736 Make OpenSSL explicitly accept SNIs

(cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014)
Branch: v4.4
https://github.com/mongodb/mongo/commit/32041ff125edcfd74d45b63db4ba19aa9840c62e

Comment by Githook User [ 11/Sep/20 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-50736 Make OpenSSL explicitly accept SNIs
Branch: master
https://github.com/mongodb/mongo/commit/a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014

Comment by Spencer Jackson [ 08/Sep/20 ]

Evgn: https://evergreen.mongodb.com/version/5f57ed8456234342068ba1aa
CR: https://mongodbcr.appspot.com/670330034/

Generated at Thu Feb 08 05:23:26 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.