[SERVER-55119] Create startup warning indicating that X.509 certificates without SANs are deprecated Created: 10/Mar/21  Updated: 29/Oct/23  Resolved: 29/Mar/21

Status: Closed
Project: Core Server
Component/s: Admin, Networking, Security
Affects Version/s: None
Fix Version/s: 4.2.15, 4.4.7, 5.0.0-rc0, 4.0.26

Type: Question Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sergey Galtsev (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-14322 Investigate changes in SERVER-55119: ... Closed
Problem/Incident
Backwards Compatibility: Minor Change
Backport Requested:
v5.0, v4.4, v4.2, v4.0
Sprint: Security 2021-04-05
Participants:
Case:

 Description   

X.509 certificates have had two mechanisms for defining the hostname they bind their public key to.
If a Subject Alternative Name is present in the certificate, the names defined there are considered to be bound.
If no SAN is present, but the certificate's subject name contains a Common Name component, and that Common Name was interpretable as a hostname, that hostname was considered bound.

The Common Name has been considered deprecated by Subject Alternative Names, because Common Names don't, semantically, have anything to do with hostnames.

Various cryptographic libraries are removing support for hostname validation via common names. Apple's TLS framework stopped recognizing common names in iOS 13 and MacOS 10.15. Go 1.15 no longer recognizes common names by default, and the tunable knob will be removed in a future release.

Clients using these platforms will find themselves unable to connect to MongoDB servers which use X509 certificate whose hostnames are advertised by CommonName attributes.

We should indicate that these style of certificates are deprecated and should be replaced to all administrators whose servers use them. We should parse the server's server certificate at startup and emit a startup warning if it doesn't have a SAN. We should backport this change to all supported releases.



 Comments   
Comment by Githook User [ 23/Jun/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-55119 startup warning when X.509 certificates have no Subject Alternative Name
Branch: v4.0
https://github.com/mongodb/mongo/commit/101d1310c57d7217334919f2ccb90ac4945d9d0d

Comment by Githook User [ 22/Jun/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-55119 startup warning when X.509 certificates have no Subject Alternative Name
Branch: v4.2
https://github.com/mongodb/mongo/commit/ba3fa2f0101fb86ce31460b197bac5657ed36201

Comment by Githook User [ 22/Jun/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-55119 startup warning when X.509 certificates have no Subject Alternative Name (revert code removal)
Branch: v4.4
https://github.com/mongodb/mongo/commit/0752572374c79198dc9fce439a18e89ea3c7c328

Comment by Githook User [ 18/Jun/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-55119 startup warning when X.509 certificates have no Subject Alternative Name
Branch: v4.4
https://github.com/mongodb/mongo/commit/309f1ad1ce1bb745c956361e4cef29fc67289f1d

Comment by Githook User [ 29/Mar/21 ]

Author:

{'name': 'Sergey Galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-55119 startup warning when X.509 certificates have no Subject Alternative Name
Branch: master
https://github.com/mongodb/mongo/commit/434ff838950d360bed1456c9307dd9c173323ac0

Generated at Thu Feb 08 05:35:31 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.