diff options
author | ADAM David Alan Martin <adam.martin@10gen.com> | 2017-08-30 15:06:13 -0400 |
---|---|---|
committer | ADAM David Alan Martin <adam.martin@10gen.com> | 2017-08-30 15:06:13 -0400 |
commit | 9316f09c434c62a2280cf50d08cb41a88e923deb (patch) | |
tree | 1d6e016e1d9cd5662739b9495cfff5210d1ef9da | |
parent | 79b47945a6aae707d44e05669d991d86b157a14b (diff) | |
download | mongo-9316f09c434c62a2280cf50d08cb41a88e923deb.tar.gz |
SERVER-23645 Unix socket certificate name mismatch is now a warning
Because Unix Domain Sockets are indicated by path, we can easily distinguish
when we are likely to create them. Certificate mismatches on name for such
sockets become warnings, instead of connection failures.
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 6206930cf1f..8766d1fed64 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -77,6 +77,18 @@ namespace mongo { namespace { +// Because the hostname having a slash is used by `mongo::SockAddr` to determine if a hostname is a +// Unix Domain Socket endpoint, this function uses the same logic. (See +// `mongo::SockAddr::Sockaddr(StringData, int, sa_family_t)`). A user explicitly specifying a Unix +// Domain Socket in the present working directory, through a code path which supplies `sa_family_t` +// as `AF_UNIX` will cause this code to lie. This will, in turn, cause the +// `SSLManager::parseAndValidatePeerCertificate` code to believe a socket is a host, which will then +// cause a connection failure if and only if that domain socket also has a certificate for SSL and +// the connection is an SSL connection. +bool isUnixDomainSocket(const std::string& hostname) { + return end(hostname) != std::find(begin(hostname), end(hostname), '/'); +} + const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession = transport::Session::declareDecoration<SSLPeerInfo>(); @@ -1415,7 +1427,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManager::parseAndValidatePeerCertifi msgBuilder << "The server certificate does not match the host name. Hostname: " << remoteHost << " does not match " << certificateNames.str(); std::string msg = msgBuilder.str(); - if (_allowInvalidCertificates || _allowInvalidHostnames) { + if (_allowInvalidCertificates || _allowInvalidHostnames || isUnixDomainSocket(remoteHost)) { warning() << msg; } else { error() << msg; |