[SERVER-50736] Make OpenSSL explicitly accept SNIs presented in ClientHello Created: 02/Sep/20 Updated: 29/Oct/23 Resolved: 11/Sep/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.8.0, 4.4.2, 4.2.11, 4.0.21, 3.6.21 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v4.7, v4.4, v4.2, v4.0, v3.6
|
||||||||||||||||
| Sprint: | Security 2020-09-21 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Description |
|
It appears the OS X shell can provide Session IDs in its TLS 1.2 handshake, which enable session resumption. This might interact with the server's understanding of SNIs. OpenSSL's SSL_get_servername method extracts the SNI for us, and is defined by the documentation to behave thus:
So, after accepting a connection attempt, SSL_get_servername will return the name the client requested. But later:
This means that OpenSSL ignores the second connection attempt's advertised SNI, in favor of the original... if the original connection's SNI was "accepted". SNIs can be accepted in an application provided callback, which we don't set. We probably need to define a callback to accept the client's SNI, so that we consistently see an SNI across all connections, whether or not they are resumed. This can be done by using the SSL_CTX_set_tlsext_servername_callback function. |
| Comments |
| Comment by Githook User [ 14/Oct/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014) |
| Comment by Githook User [ 30/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014) |
| Comment by Githook User [ 30/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014) |
| Comment by Githook User [ 17/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit a5f72d4b37ed92fa72d3a31e0af4266c9ef8d014) |
| Comment by Githook User [ 11/Sep/20 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: |
| Comment by Spencer Jackson [ 08/Sep/20 ] |
|
Evgn: https://evergreen.mongodb.com/version/5f57ed8456234342068ba1aa |