diff options
author | Adam Cooper <adam.cooper@mongodb.com> | 2019-09-06 14:48:25 +0000 |
---|---|---|
committer | evergreen <evergreen@mongodb.com> | 2019-09-06 14:48:25 +0000 |
commit | 3e6f3e9144e33790711b0b656bae85ed5015504b (patch) | |
tree | 6ef1e356952a5e7f739d15f8ad99751460f19338 /src/mongo/util/net/ssl_manager_openssl.cpp | |
parent | 507936ebc445cd165d349701f569c264faca9077 (diff) | |
download | mongo-3e6f3e9144e33790711b0b656bae85ed5015504b.tar.gz |
SERVER-42287 SNI names are not allowed to include IP addresses
Diffstat (limited to 'src/mongo/util/net/ssl_manager_openssl.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index e6fdd202bb3..2ba1e1a56d1 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -68,6 +68,7 @@ #ifndef _WIN32 #include <netinet/in.h> #endif +#include <arpa/inet.h> #include <openssl/asn1.h> #include <openssl/asn1t.h> #include <openssl/dh.h> @@ -1441,9 +1442,17 @@ SSLConnectionInterface* SSLManagerOpenSSL::connect(Socket* socket) { _clientContext.get(), socket, (const char*)nullptr, 0); const auto undotted = removeFQDNRoot(socket->remoteAddr().hostOrIp()); - int ret = ::SSL_set_tlsext_host_name(sslConn->ssl, undotted.c_str()); - if (ret != 1) - _handleSSLError(sslConn.get(), ret); + + // only have TLS advertise host name if it is not an IP address + int ret; + std::array<uint8_t, INET6_ADDRSTRLEN> unusedBuf; + if ((inet_pton(AF_INET, undotted.c_str(), unusedBuf.data()) == 0) && + (inet_pton(AF_INET6, undotted.c_str(), unusedBuf.data()) == 0)) { + ret = ::SSL_set_tlsext_host_name(sslConn->ssl, undotted.c_str()); + if (ret != 1) { + _handleSSLError(sslConn.get(), ret); + } + } do { ret = ::SSL_connect(sslConn->ssl); |