diff options
Diffstat (limited to 'src/mongo/util/net/ssl_manager_openssl.cpp')
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 8ebdf5158ef..a73c0180cc6 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1601,17 +1601,24 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer } } sk_GENERAL_NAME_pop_free(sanNames, GENERAL_NAME_free); - } else { - // If Subject Alternate Name (SAN) doesn't exist and Common Name (CN) does, - // check Common Name. + } + + if (!sanMatch) { + // If SAN doesn't match, check to see if CN does. + // If it does and no SAN was provided, that's a match. + // Anything else is a varying degree of failure. auto swCN = peerSubject.getOID(kOID_CommonName); if (swCN.isOK()) { auto commonName = std::move(swCN.getValue()); + certificateNames << "CN: " << commonName; if (hostNameMatchForX509Certificates(remoteHost, commonName)) { - cnMatch = true; + if (sanNames) { + certificateNames << " would have matched, but was overridden by SAN"; + } else { + cnMatch = true; + } } - certificateNames << "CN: " << commonName; - } else { + } else if (!sanNames) { certificateNames << "No Common Name (CN) or Subject Alternate Names (SAN) found"; } } |