<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:15:21 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CDRIVER-2481] &quot;-DENABLE_SSL=OPENSSL&quot; would not allow user connect server with ip address</title>
                <link>https://jira.mongodb.org/browse/CDRIVER-2481</link>
                <project id="10030" key="CDRIVER">C Driver</project>
                    <description>&lt;p&gt; mongo c driver: 1.7.0&lt;br/&gt;
 mongo cxx driver:  r3.1.3&lt;/p&gt;

&lt;p&gt;if I compile the c driver with &quot;-DENABLE_SSL=OPENSSL&quot;, I do the following tests:&lt;br/&gt;
    &lt;b&gt;case 1&lt;/b&gt;: the host&apos;s cert&apos;s CN is ip address, connect with ip address, failed.&lt;br/&gt;
error info: &lt;/p&gt;

&lt;p&gt;connection failed: No suitable servers found (`serverSelectionTryOnce` set): [TL&lt;br/&gt;
S handshake failed: error:14090086:SSL routines:ssl3_get_server_certificate:cert&lt;br/&gt;
ificate verify failed calling ismaster on &apos;10.154.10.39:27017&apos;]: generic server&lt;br/&gt;
error&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;case 2*: the host&apos;s cert&apos;s CN is hostname , connect with host name , successful.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;    but I can connect with mongo.exe successfully for both two cases.&lt;br/&gt;
what&apos;s more , such issue disappears if I compile the driver with &quot;-DENABLE_SSL=WINDOWS&quot;  &lt;/p&gt;</description>
                <environment></environment>
        <key id="490121">CDRIVER-2481</key>
            <summary>&quot;-DENABLE_SSL=OPENSSL&quot; would not allow user connect server with ip address</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13202">Works as Designed</resolution>
                                        <assignee username="jesse@mongodb.com">A. Jesse Jiryu Davis</assignee>
                                    <reporter username="winnie_quest">winnie_quest</reporter>
                        <labels>
                    </labels>
                <created>Wed, 31 Jan 2018 09:50:57 +0000</created>
                <updated>Fri, 27 Oct 2023 13:14:17 +0000</updated>
                            <resolved>Thu, 8 Feb 2018 03:27:43 +0000</resolved>
                                    <version>1.7.0</version>
                                                    <component>libmongoc</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="1799032" author="winnie_quest" created="Thu, 8 Feb 2018 03:39:22 +0000"  >&lt;p&gt;but if the IP address is in CN field, mongo c driver still can&apos;t connect to the server with the IP address&lt;/p&gt;</comment>
                            <comment id="1799026" author="jesse" created="Thu, 8 Feb 2018 03:27:43 +0000"  >&lt;p&gt;Thanks for your answer. I&apos;m closing this issue for now, I think the C Driver does the approximately the correct thing when an SSL certificate includes an IP address.&lt;/p&gt;</comment>
                            <comment id="1799000" author="winnie_quest" created="Thu, 8 Feb 2018 02:47:03 +0000"  >&lt;p&gt;thanks. I tested with mongo c driver 1.7.0, the driver could connect to mongo server with IP address if the ip address is in server&apos;s SAN. but the shell can&apos;t do it, &lt;br/&gt;
thanks a lot&lt;/p&gt;</comment>
                            <comment id="1797655" author="jesse" created="Wed, 7 Feb 2018 03:29:52 +0000"  >&lt;p&gt;Hi, the C Driver with OpenSSL &lt;b&gt;can&lt;/b&gt; connect using an IP address if the IP address is a Subject Alternative Name. I successfully tested this on Windows with OpenSSL 1.0.2n. I downloaded &lt;a href=&quot;https://raw.githubusercontent.com/mongodb/mongo/master/jstests/libs/ca.pem&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;the Certificate Authority file ca.pem from the MongoDB test files&lt;/a&gt;. I made a file &quot;extensions.cnf&quot; containing:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;[v3_req]&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;basicConstraints = CA:TRUE&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;subjectAltName = IP:127.0.0.1&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;Then:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;openssl req -new -nodes -keyout test.key -out myserver_san_ip.csr -subj &quot;/C=US/ST=NY/O=MongoDB/CN=x509server/emailAddress=jesse@mongodb.com&quot;&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&amp;nbsp;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;openssl x509 -req -days 3650 -in myserver_san_ip.csr -CA ca.pem -out myserver_san_ip.crt -extfile extensions.cnf -extensions v3_req -CAcreateserial&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&amp;nbsp;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;cat test.key myserver_san_ip.crt &amp;gt; myserver_san_ip.pem&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&amp;nbsp;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;mongod.exe --sslOnNormalPorts --sslPEMKeyFile myserver_san_ip.pem --sslCAFile ca.pem  --sslAllowConnectionsWithoutCertificates&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;Then, after building libmongoc 1.9.2 with OpenSSL, I ran the example-client program:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;./Debug/example-client.exe mongodb://127.0.0.1/?sslcertificateauthorityfile=ca.pem&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;The driver connects to the server successfully.&lt;/p&gt;

&lt;p&gt;If you&apos;re curious, the relevant portions of the C Driver code that handle IP addresses in hostnames and Subject Alternative Names are in mongoc_stream_tls_openssl_new and _mongoc_openssl_check_cert.&lt;/p&gt;

&lt;p&gt;Although the C Driver supports connecting to a server over SSL with an IP address in the URI, so long as the IP address is one of the server certificate&apos;s Subject Alternative Names, I wouldn&apos;t recommend starting MongoDB with a certificate that includes an IP address, since the mongo shell can only connect to it by hostname.&lt;/p&gt;</comment>
                            <comment id="1792876" author="winnie_quest" created="Fri, 2 Feb 2018 07:23:31 +0000"  >&lt;p&gt;as you suggested, I create &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-33069&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;https://jira.mongodb.org/browse/SERVER-33069&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1792818" author="jesse" created="Fri, 2 Feb 2018 04:36:59 +0000"  >&lt;p&gt;We&apos;ll investigate, thank you, but I don&apos;t know whether we can make OpenSSL&apos;s certificate validation accept this cert or not. We shall see. I propose you file a ticket in the SERVER project as well to request the same change for the mongo shell, if it&apos;s possible.&lt;/p&gt;</comment>
                            <comment id="1792801" author="winnie_quest" created="Fri, 2 Feb 2018 03:43:19 +0000"  >&lt;p&gt;thanks for your reply, Jesse.&lt;br/&gt;
well, I should say it&apos;s medium urgent. &lt;br/&gt;
our product is working as a connector, allowing user to connect to mongoDB. we can&apos;t require our customer always use  hostname for CN in their server&apos;s certificate,&lt;br/&gt;
the workaround that I can figure out is to use &quot;ssl_options.allow_invalid_certificates(true); &quot; , but you know it&apos;s not safe.&lt;br/&gt;
so I suggest you do the fix, &apos;cause I think it&apos;s still very common for people to connect to a server using IP address.&lt;/p&gt;</comment>
                            <comment id="1792248" author="jesse" created="Thu, 1 Feb 2018 19:46:41 +0000"  >&lt;p&gt;The mongo shell also uses OpenSSL. I see that the Subject Alternative Name technique didn&apos;t work for an IP Address.&lt;/p&gt;

&lt;p&gt;Could you tell me how urgent this is please? One idea is to set up your machine&apos;s local DNS (using something like /etc/hosts) to say that the name &quot;x509server&quot; maps to your desired IP, and use a server certificate for &quot;x509server&quot;.&lt;/p&gt;</comment>
                            <comment id="1791428" author="winnie_quest" created="Thu, 1 Feb 2018 03:59:20 +0000"  >&lt;p&gt;hi, I create the pem with SAN by the follows steps:&lt;br/&gt;
1. sudo openssl req -new -key myserver.key -out myserver_san_ip.csr -subj  &quot;/C=AU/ST=NSW/O=test/CN=x509server/emailAddress=user@domain.com&quot;&lt;br/&gt;
2. sudo openssl x509 -req -days 3650 -in myserver_san_ip.csr -CA ca.crt -CAkey ca.key -set_serial 01 &lt;font color=&quot;red&quot;&gt;-extensions v3_req&lt;/font&gt; -extfile &lt;font color=&quot;red&quot;&gt;a.txt&lt;/font&gt;  -out myserver_san_ip.crt&lt;/p&gt;

&lt;p&gt;a.txt &apos;s content is :&lt;br/&gt;
&lt;span class=&quot;error&quot;&gt;&amp;#91;v3_req&amp;#93;&lt;/span&gt;&lt;br/&gt;
basicConstraints = CA:TRUE&lt;br/&gt;
subjectAltName = IP:10.154.10.39&lt;/p&gt;

&lt;p&gt;then use :&quot; openssl x509 -text -noout -in myserver_san_ip.crt&quot; to check the SAN field.see  &lt;span class=&quot;image-wrap&quot; style=&quot;&quot;&gt;&lt;a id=&quot;177479_thumb&quot; href=&quot;https://jira.mongodb.org/secure/attachment/177479/177479_dd.png&quot; title=&quot;dd.png&quot; file-preview-type=&quot;image&quot; file-preview-id=&quot;177479&quot; file-preview-title=&quot;dd.png&quot;&gt;&lt;img src=&quot;https://jira.mongodb.org/secure/thumbnail/177479/_thumb_177479.png&quot; style=&quot;border: 0px solid black&quot; role=&quot;presentation&quot;/&gt;&lt;/a&gt;&lt;/span&gt; &lt;/p&gt;

&lt;p&gt;3. sudo sh -c &quot;cat myserver.key myserver_san_ip.crt &amp;gt; myserver_san_ip.pem&quot;&lt;/p&gt;

&lt;p&gt;with this new pem file, I restarted mongod server&lt;br/&gt;
then try to connect with mongo shell : mongo --host 10.154.10.39 --ssl --sslCAFile ca.pem --sslPEMKeyFile myclient.pem&lt;br/&gt;
but still get the error :&lt;br/&gt;
2018-02-01T03:56:53.109+0800 E NETWORK  &lt;span class=&quot;error&quot;&gt;&amp;#91;thread1&amp;#93;&lt;/span&gt; The server certificate does not match the host name. Hostname: 10.154.10.39 does not match SAN(s): &lt;br/&gt;
2018-02-01T03:56:53.110+0800 E QUERY    &lt;span class=&quot;error&quot;&gt;&amp;#91;thread1&amp;#93;&lt;/span&gt; Error: socket exception &lt;span class=&quot;error&quot;&gt;&amp;#91;CONNECT_ERROR&amp;#93;&lt;/span&gt; for The server certificate does not match the host name. Hostname: 10.154.10.39 does not match SAN(s):  :&lt;br/&gt;
connect@src/mongo/shell/mongo.js:237:13&lt;br/&gt;
@(connect):1:6&lt;br/&gt;
exception: connect failed&lt;/p&gt;</comment>
                            <comment id="1790291" author="jesse" created="Wed, 31 Jan 2018 11:57:53 +0000"  >&lt;p&gt;&lt;a href=&quot;https://cabforum.org/guidance-ip-addresses-certificates/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://cabforum.org/guidance-ip-addresses-certificates/&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1790285" author="jesse" created="Wed, 31 Jan 2018 11:51:07 +0000"  >&lt;p&gt;Hmm, I&apos;m not certain what&apos;s happening here. From a bit of research it seems to me that having an IP address as the certificate&apos;s Common Name is deprecated - perhaps OpenSSL now prohibits a certificate with IP address as the CN, while Windows Secure Channel still allows it.&lt;/p&gt;

&lt;p&gt;Can you try a certificate with the IP address as the &quot;Subject Alternative Name&quot; instead of the Common Name?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="491376">SERVER-33069</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="294121">SERVER-24591</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="177479" name="dd.png" size="31983" author="winnie_quest" created="Thu, 1 Feb 2018 03:59:47 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|htgrf3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>