summaryrefslogtreecommitdiff
path: root/src/mongo/util/net/ssl_manager_openssl.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/mongo/util/net/ssl_manager_openssl.cpp')
-rw-r--r--src/mongo/util/net/ssl_manager_openssl.cpp19
1 files changed, 13 insertions, 6 deletions
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 8ebdf5158ef..a73c0180cc6 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1601,17 +1601,24 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer
}
}
sk_GENERAL_NAME_pop_free(sanNames, GENERAL_NAME_free);
- } else {
- // If Subject Alternate Name (SAN) doesn't exist and Common Name (CN) does,
- // check Common Name.
+ }
+
+ if (!sanMatch) {
+ // If SAN doesn't match, check to see if CN does.
+ // If it does and no SAN was provided, that's a match.
+ // Anything else is a varying degree of failure.
auto swCN = peerSubject.getOID(kOID_CommonName);
if (swCN.isOK()) {
auto commonName = std::move(swCN.getValue());
+ certificateNames << "CN: " << commonName;
if (hostNameMatchForX509Certificates(remoteHost, commonName)) {
- cnMatch = true;
+ if (sanNames) {
+ certificateNames << " would have matched, but was overridden by SAN";
+ } else {
+ cnMatch = true;
+ }
}
- certificateNames << "CN: " << commonName;
- } else {
+ } else if (!sanNames) {
certificateNames << "No Common Name (CN) or Subject Alternate Names (SAN) found";
}
}
View Lorry Controller Status