diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 12 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 19 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 8 |
3 files changed, 30 insertions, 9 deletions
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index fd90601440d..c8ad459d88a 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1598,8 +1598,9 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe } certErr << san << " "; } + } - } else { + if (!sanMatch) { auto swCN = peerSubjectName.getOID(kOID_CommonName); if (swCN.isOK()) { auto commonName = std::move(swCN.getValue()); @@ -1611,8 +1612,13 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerApple::parseAndValidatePeerCe } else if (hostNameMatchForX509Certificates(remoteHost, commonName)) { cnMatch = true; } - certErr << "CN: " << commonName; - } else { + + if (cnMatch && !sans.empty()) { + // SANs override CN for matching purposes. + cnMatch = false; + certErr << "CN: " << commonName << " would have matched, but was overridden by SAN"; + } + } else if (sans.empty()) { certErr << "No Common Name (CN) or Subject Alternate Names (SAN) found"; } } diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 8ebdf5158ef..a73c0180cc6 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1601,17 +1601,24 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManagerOpenSSL::parseAndValidatePeer } } sk_GENERAL_NAME_pop_free(sanNames, GENERAL_NAME_free); - } else { - // If Subject Alternate Name (SAN) doesn't exist and Common Name (CN) does, - // check Common Name. + } + + if (!sanMatch) { + // If SAN doesn't match, check to see if CN does. + // If it does and no SAN was provided, that's a match. + // Anything else is a varying degree of failure. auto swCN = peerSubject.getOID(kOID_CommonName); if (swCN.isOK()) { auto commonName = std::move(swCN.getValue()); + certificateNames << "CN: " << commonName; if (hostNameMatchForX509Certificates(remoteHost, commonName)) { - cnMatch = true; + if (sanNames) { + certificateNames << " would have matched, but was overridden by SAN"; + } else { + cnMatch = true; + } } - certificateNames << "CN: " << commonName; - } else { + } else if (!sanNames) { certificateNames << "No Common Name (CN) or Subject Alternate Names (SAN) found"; } } diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 95b5bda7bd8..c5b8771f945 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1675,7 +1675,9 @@ Status validatePeerCertificate(const std::string& remoteHost, // Give the user a hint why the certificate validation failed. StringBuilder certificateNames; + bool hasSAN = false; if (swAltNames.isOK() && !swAltNames.getValue().empty()) { + hasSAN = true; for (auto& name : swAltNames.getValue()) { certificateNames << name << " "; } @@ -1683,6 +1685,12 @@ Status validatePeerCertificate(const std::string& remoteHost, certificateNames << ", Subject Name: " << *peerSubjectName; + auto swCN = peerSubjectName->getOID(kOID_CommonName); + if (hasSAN && swCN.isOK() && + hostNameMatchForX509Certificates(remoteHost, swCN.getValue())) { + certificateNames << " would have matched, but was overridden by SAN"; + } + str::stream msg; msg << "The server certificate does not match the host name. Hostname: " << remoteHost << " does not match " << certificateNames.str(); |