SERVER-38427 Log warning when client connects with server's own TLS certificate

3 files changed, 26 insertions, 2 deletions

diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index 702981323b8..084c3369f2e 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -386,7 +386,12 @@ StatusWith<SSLX509Name> extractSubjectName(::CFDictionaryRef dict) {
         }
     }
 
-    return SSLX509Name(std::move(ret));
+    SSLX509Name subjectName = SSLX509Name(std::move(ret));
+    Status normalize = subjectName.normalizeStrings();
+    if (!normalize.isOK()) {
+        return normalize;
+    }
+    return subjectName;
 }
 
 StatusWith<mongo::Date_t> extractValidityDate(::CFDictionaryRef dict,
@@ -1442,6 +1447,11 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
     const auto peerSubjectName = std::move(swPeerSubjectName.getValue());
     LOG(2) << "Accepted TLS connection from peer: " << peerSubjectName;
 
+    // If this is a server and client and server certificate are the same, log a warning.
+    if (_sslConfiguration.serverSubjectName() == peerSubjectName) {
+        warning() << "Client connecting with server's own TLS certificate";
+    }
+
     if (remoteHost.empty()) {
         // If this is an SSL server context (on a mongod/mongos)
         // parse any client roles out of the client certificate.
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 61f794363eb..e3eab7cbe6d 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -718,7 +718,9 @@ SSLX509Name getCertificateSubjectX509Name(X509* cert) {
         entries.push_back(std::move(rdn));
     }
 
-    return SSLX509Name(std::move(entries));
+    SSLX509Name subjectName = SSLX509Name(std::move(entries));
+    uassertStatusOK(subjectName.normalizeStrings());
+    return subjectName;
 }
 
 int verifyDHParameters(const UniqueDHParams& dhparams) {
@@ -1568,6 +1570,11 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer
     auto peerSubject = getCertificateSubjectX509Name(peerCert);
     LOG(2) << "Accepted TLS connection from peer: " << peerSubject;
 
+    // If this is a server and client and server certificate are the same, log a warning.
+    if (remoteHost.empty() && _sslConfiguration.serverSubjectName() == peerSubject) {
+        warning() << "Client connecting with server's own TLS certificate";
+    }
+
     StatusWith<stdx::unordered_set<RoleName>> swPeerCertificateRoles = _parsePeerRoles(peerCert);
     if (!swPeerCertificateRoles.isOK()) {
         return swPeerCertificateRoles.getStatus();
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index de9854ed536..111d38157c8 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1486,6 +1486,7 @@ Status SSLManagerWindows::_validateCertificate(PCCERT_CONTEXT cert,
             Date_t::fromMillisSinceEpoch(FiletimeToEpocMillis(cert->pCertInfo->NotAfter));
     }
 
+    uassertStatusOK(subjectName->normalizeStrings());
     return Status::OK();
 }
 
@@ -1696,6 +1697,7 @@ Status validatePeerCertificate(const std::string& remoteHost,
             return Status(ErrorCodes::SSLHandshakeFailed, msg);
         }
     }
+    uassertStatusOK(peerSubjectName->normalizeStrings());
     return Status::OK();
 }
 
@@ -1794,6 +1796,11 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerWindows::parseAndValidatePeer
 
     LOG(2) << "Accepted TLS connection from peer: " << peerSubjectName;
 
+    // If this is a server and client and server certificate are the same, log a warning.
+    if (remoteHost.empty() && _sslConfiguration.serverSubjectName() == peerSubjectName) {
+        warning() << "Client connecting with server's own TLS certificate";
+    }
+
     // On the server side, parse the certificate for roles
     if (remoteHost.empty()) {
         StatusWith<stdx::unordered_set<RoleName>> swPeerCertificateRoles = parsePeerRoles(cert);