SERVER-37370 Improve CN/SAN mismatch error message

author: Sara Golemon <sara.golemon@mongodb.com> 2019-04-16 16:44:35 +0000
committer: Sara Golemon <sara.golemon@mongodb.com> 2019-04-17 14:18:17 +0000
commit: ed0939a343ac78527e2633301b68f52721f93d0a (patch)
tree: 3bb7a37157e32442abe83e0c0792a0d2d7bb6946 /src/mongo/util
parent: 82b9d4fd30cff3a19484325157b5e3d44211080f (diff)
download: mongo-ed0939a343ac78527e2633301b68f52721f93d0a.tar.gz
3 files changed, 30 insertions, 9 deletions
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index fd90601440d..c8ad459d88a 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -1598,8 +1598,9 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
             }
             certErr << san << " ";
         }
+    }
 
-    } else {
+    if (!sanMatch) {
         auto swCN = peerSubjectName.getOID(kOID_CommonName);
         if (swCN.isOK()) {
             auto commonName = std::move(swCN.getValue());
@@ -1611,8 +1612,13 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe
             } else if (hostNameMatchForX509Certificates(remoteHost, commonName)) {
                 cnMatch = true;
             }
-            certErr << "CN: " << commonName;
-        } else {
+
+            if (cnMatch && !sans.empty()) {
+                // SANs override CN for matching purposes.
+                cnMatch = false;
+                certErr << "CN: " << commonName << " would have matched, but was overridden by SAN";
+            }
+        } else if (sans.empty()) {
             certErr << "No Common Name (CN) or Subject Alternate Names (SAN) found";
         }
     }
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 8ebdf5158ef..a73c0180cc6 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1601,17 +1601,24 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer
             }
         }
         sk_GENERAL_NAME_pop_free(sanNames, GENERAL_NAME_free);
-    } else {
-        // If Subject Alternate Name (SAN) doesn't exist and Common Name (CN) does,
-        // check Common Name.
+    }
+
+    if (!sanMatch) {
+        // If SAN doesn't match, check to see if CN does.
+        // If it does and no SAN was provided, that's a match.
+        // Anything else is a varying degree of failure.
         auto swCN = peerSubject.getOID(kOID_CommonName);
         if (swCN.isOK()) {
             auto commonName = std::move(swCN.getValue());
+            certificateNames << "CN: " << commonName;
             if (hostNameMatchForX509Certificates(remoteHost, commonName)) {
-                cnMatch = true;
+                if (sanNames) {
+                    certificateNames << " would have matched, but was overridden by SAN";
+                } else {
+                    cnMatch = true;
+                }
             }
-            certificateNames << "CN: " << commonName;
-        } else {
+        } else if (!sanNames) {
             certificateNames << "No Common Name (CN) or Subject Alternate Names (SAN) found";
         }
     }
diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp
index 95b5bda7bd8..c5b8771f945 100644
--- a/src/mongo/util/net/ssl_manager_windows.cpp
+++ b/src/mongo/util/net/ssl_manager_windows.cpp
@@ -1675,7 +1675,9 @@ Status validatePeerCertificate(const std::string& remoteHost,
 
             // Give the user a hint why the certificate validation failed.
             StringBuilder certificateNames;
+            bool hasSAN = false;
             if (swAltNames.isOK() && !swAltNames.getValue().empty()) {
+                hasSAN = true;
                 for (auto& name : swAltNames.getValue()) {
                     certificateNames << name << " ";
                 }
@@ -1683,6 +1685,12 @@ Status validatePeerCertificate(const std::string& remoteHost,
 
             certificateNames << ", Subject Name: " << *peerSubjectName;
 
+            auto swCN = peerSubjectName->getOID(kOID_CommonName);
+            if (hasSAN && swCN.isOK() &&
+                hostNameMatchForX509Certificates(remoteHost, swCN.getValue())) {
+                certificateNames << " would have matched, but was overridden by SAN";
+            }
+
             str::stream msg;
             msg << "The server certificate does not match the host name. Hostname: " << remoteHost
                 << " does not match " << certificateNames.str();
author	Sara Golemon <sara.golemon@mongodb.com>	2019-04-16 16:44:35 +0000
committer	Sara Golemon <sara.golemon@mongodb.com>	2019-04-17 14:18:17 +0000
commit	ed0939a343ac78527e2633301b68f52721f93d0a (patch)
tree	3bb7a37157e32442abe83e0c0792a0d2d7bb6946 /src/mongo/util
parent	82b9d4fd30cff3a19484325157b5e3d44211080f (diff)
download	mongo-ed0939a343ac78527e2633301b68f52721f93d0a.tar.gz