<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 04:45:35 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-37296] Did KMIP CN requirement change to SAN?</title>
                <link>https://jira.mongodb.org/browse/SERVER-37296</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Hello, we&apos;re working with a customer trying to close a mongodb enterprise sale. They are connecting to our key management server via KMIP.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Previously (v 3.2), the CN had to exactly match the KMIP hostname specified in the mongo configuration. Now, the error is as follows:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;2018-09-17T17:36:50.040+0800 E STORAGE&#160; [initandlisten] Unable to retrieve key .system, error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name. Hostname:&#160;[&amp;lt;hostname&amp;gt;]&#160;does not match SAN(s): akm&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Did the requirement change that the hostname must now be in the subject alternative name? If so when did it change? And can this information be documented in the KMIP docs?&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;If the requirement did not change and the CN already matches the hostname, what would cause it to reject the SAN?&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;I&apos;m supposed to tag&#160;Kenn White on this issue, but see no way to do that.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;

&lt;p&gt;Thank you,&lt;/p&gt;

&lt;p&gt;Nick&lt;/p&gt;</description>
                <environment></environment>
        <key id="609139">SERVER-37296</key>
            <summary>Did KMIP CN requirement change to SAN?</summary>
                <type id="6" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14720&amp;avatarType=issuetype">Question</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="sara.golemon@mongodb.com">Sara Golemon</assignee>
                                    <reporter username="nicholasbayle">Nicholas Bayle</reporter>
                        <labels>
                    </labels>
                <created>Mon, 24 Sep 2018 18:09:37 +0000</created>
                <updated>Thu, 27 Dec 2018 04:19:38 +0000</updated>
                            <resolved>Thu, 27 Sep 2018 17:02:54 +0000</resolved>
                                    <version>3.6.6</version>
                                                                        <votes>0</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="2017478" author="sara.golemon" created="Fri, 28 Sep 2018 14:23:15 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=nicholasbayle&quot; class=&quot;user-hover&quot; rel=&quot;nicholasbayle&quot;&gt;nicholasbayle&lt;/a&gt; I&apos;ll reach out to DOCS to make a link, and I&apos;ll also see about the possibility of improving the error message.  Sorry about the confusion.&lt;/p&gt;</comment>
                            <comment id="2016548" author="nicholasbayle" created="Thu, 27 Sep 2018 17:04:51 +0000"  >&lt;p&gt;Someone please delete the hostname from the original ticket. I didn&apos;t know all this was public until after I started the ticket.&lt;/p&gt;</comment>
                            <comment id="2016542" author="greg.mckeon" created="Thu, 27 Sep 2018 17:02:30 +0000"  >&lt;p&gt;Closing this as &quot;Done&quot; with a linked ticket for the Docs team to improve our KMIP documentation.&lt;/p&gt;</comment>
                            <comment id="2016425" author="nicholasbayle" created="Thu, 27 Sep 2018 15:49:56 +0000"  >&lt;p&gt;I see, so the issue here was my understanding and documentation. Since my only interaction with MongoDB deployment is doing KMIP setup, I never ventured into the MongoDB client TLS documentation. After looking through the docs, this section from TLS:&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;The&#160;&lt;a href=&quot;https://docs.mongodb.com/manual/reference/program/mongo/#bin.mongo&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;mongo&lt;/tt&gt;&lt;/a&gt;&#160;shell verifies that the hostname (specified in&#160;&lt;a href=&quot;https://docs.mongodb.com/manual/reference/program/mongo/#cmdoption-mongo-host&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;--host&lt;/tt&gt;&lt;/a&gt;&#160;option or the connection string) matches the&#160;&lt;tt&gt;SAN&lt;/tt&gt;&#160;(or, if&#160;&lt;tt&gt;SAN&lt;/tt&gt;&#160;is not present, the&#160;&lt;tt&gt;CN&lt;/tt&gt;) in the certificate presented by the&#160;&lt;a href=&quot;https://docs.mongodb.com/manual/reference/program/mongod/#bin.mongod&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;mongod&lt;/tt&gt;&lt;/a&gt;&#160;or&#160;&lt;a href=&quot;https://docs.mongodb.com/manual/reference/program/mongos/#bin.mongos&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;mongos&lt;/tt&gt;&lt;/a&gt;. If&#160;&lt;tt&gt;SAN&lt;/tt&gt;&#160;is present,&#160;&lt;a href=&quot;https://docs.mongodb.com/manual/reference/program/mongo/#bin.mongo&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;mongo&lt;/tt&gt;&lt;/a&gt;&#160;does not match against the&#160;&lt;tt&gt;CN&lt;/tt&gt;. If the hostname does not match the&#160;&lt;tt&gt;SAN&lt;/tt&gt;&#160;(or&#160;&lt;tt&gt;CN&lt;/tt&gt;), the&#160;&lt;a href=&quot;https://docs.mongodb.com/manual/reference/program/mongo/#bin.mongo&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;mongo&lt;/tt&gt;&lt;/a&gt;shell will fail to connect.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Would be amazing to have in the KMIP section. Definitely spent a fair amount of time doing horrible workarounds to have matching CNs because I didn&apos;t realize there was SAN support (all errors had indicated CN in my case).&lt;/p&gt;

&lt;p&gt;Carry on.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="2016353" author="sara.golemon" created="Thu, 27 Sep 2018 15:26:08 +0000"  >&lt;p&gt;Sorry, I thought by tagging you in my prior comment you&apos;d be able to see it.&lt;br/&gt;
I&apos;m hoping you can share your public certificate and confirm what command line was being used on the v3.2 instance.&lt;/p&gt;</comment>
                            <comment id="2016334" author="nicholasbayle" created="Thu, 27 Sep 2018 15:16:00 +0000"  >&lt;p&gt;Are you actually waiting for user input? Because I&apos;ve heard nothing...&lt;/p&gt;</comment>
                            <comment id="2014065" author="sara.golemon" created="Tue, 25 Sep 2018 20:30:58 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=nicholasbayle&quot; class=&quot;user-hover&quot; rel=&quot;nicholasbayle&quot;&gt;nicholasbayle&lt;/a&gt; Can you confirm that the command line you provided is &lt;b&gt;also&lt;/b&gt; how they were starting v3.2 ?&lt;br/&gt;
Also, could you provide the certificate?&#160; No need for the private key, but I&apos;d like to confirm the public contents.&lt;/p&gt;</comment>
                            <comment id="2013668" author="sara.golemon" created="Tue, 25 Sep 2018 16:27:38 +0000"  >&lt;p&gt;Short answer: No. Looking at the CN/SAN matching logic in v3.2 and v3.6, they look essentially identical.&lt;/p&gt;

&lt;p&gt;Long answer: Both versions will, if any SAN is present, match ONLY against the SAN.&#160; It will try CN only if there is no SAN on the certificate.&#160; That error indicates the certificate has a SAN, therefore it should never have worked on 3.2 unless they were previously using --sslAllowInvalidCertificates or --sslAllowInvalidHostnames. ((Or if they were using a different certificate, obviously))&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="610909">DOCS-12092</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 24 Sep 2018 18:16:01 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        5 years, 19 weeks, 5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.prochazka@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            5 years, 19 weeks, 5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>greg.mckeon@mongodb.com</customfieldvalue>
            <customfieldvalue>nicholasbayle</customfieldvalue>
            <customfieldvalue>sara.golemon@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hu8q8f:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|htyj6v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="2549">Security 2018-10-08</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hu8chr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>