[SERVER-79976] Perform connectivity and TLS checks for DNS-resolved IP addresses in mongoldap Created: 14/Aug/23  Updated: 29/Oct/23  Resolved: 22/Sep/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.2.0-rc0

Type: Task Priority: Major - P3
Reporter: Varun Ravichandran Assignee: Adrian Gonzalez Montemayor
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Sprint: Security 2023-09-04, Security 2023-09-18, Security 2023-10-02
Participants:

 Description   

The LDAP DNS cache only caches resolved addresses from SRV records, not A records. If the IP addresses presented in A records are cached and connected to directly, TLS may fail as the remote host's certificate's subject will often correspond to the domain and not specify the resolved IP address, resulting in subject name mismatch.

However, mongoldap can provide the output of the DNS lookup and provide a connectivity test to each of those resolved records, even for A records. It can also make a best-effort attempt at TLS connections and potentially swallow subject name mismatch errors if the presented certificate's subject matches the domain corresponding to the IP address.


Generated at Thu Feb 08 06:42:23 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.