diff options
author | Sara Golemon <sara.golemon@mongodb.com> | 2019-04-16 16:44:35 +0000 |
---|---|---|
committer | Sara Golemon <sara.golemon@mongodb.com> | 2019-04-17 14:18:17 +0000 |
commit | ed0939a343ac78527e2633301b68f52721f93d0a (patch) | |
tree | 3bb7a37157e32442abe83e0c0792a0d2d7bb6946 /src/mongo/util/net/ssl_manager_apple.cpp | |
parent | 82b9d4fd30cff3a19484325157b5e3d44211080f (diff) | |
download | mongo-ed0939a343ac78527e2633301b68f52721f93d0a.tar.gz |
SERVER-37370 Improve CN/SAN mismatch error message
Diffstat (limited to 'src/mongo/util/net/ssl_manager_apple.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index fd90601440d..c8ad459d88a 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1598,8 +1598,9 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe } certErr << san << " "; } + } - } else { + if (!sanMatch) { auto swCN = peerSubjectName.getOID(kOID_CommonName); if (swCN.isOK()) { auto commonName = std::move(swCN.getValue()); @@ -1611,8 +1612,13 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe } else if (hostNameMatchForX509Certificates(remoteHost, commonName)) { cnMatch = true; } - certErr << "CN: " << commonName; - } else { + + if (cnMatch && !sans.empty()) { + // SANs override CN for matching purposes. + cnMatch = false; + certErr << "CN: " << commonName << " would have matched, but was overridden by SAN"; + } + } else if (sans.empty()) { certErr << "No Common Name (CN) or Subject Alternate Names (SAN) found"; } } |