From 9316f09c434c62a2280cf50d08cb41a88e923deb Mon Sep 17 00:00:00 2001
From: ADAM David Alan Martin <adam.martin@10gen.com>
Date: Wed, 30 Aug 2017 15:06:13 -0400
Subject: SERVER-23645 Unix socket certificate name mismatch is now a warning

Because Unix Domain Sockets are indicated by path, we can easily distinguish
when we are likely to create them.  Certificate mismatches on name for such
sockets become warnings, instead of connection failures.
---
 src/mongo/util/net/ssl_manager.cpp | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 6206930cf1f..8766d1fed64 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -77,6 +77,18 @@ namespace mongo {
 
 namespace {
 
+// Because the hostname having a slash is used by `mongo::SockAddr` to determine if a hostname is a
+// Unix Domain Socket endpoint, this function uses the same logic.  (See
+// `mongo::SockAddr::Sockaddr(StringData, int, sa_family_t)`).  A user explicitly specifying a Unix
+// Domain Socket in the present working directory, through a code path which supplies `sa_family_t`
+// as `AF_UNIX` will cause this code to lie.  This will, in turn, cause the
+// `SSLManager::parseAndValidatePeerCertificate` code to believe a socket is a host, which will then
+// cause a connection failure if and only if that domain socket also has a certificate for SSL and
+// the connection is an SSL connection.
+bool isUnixDomainSocket(const std::string& hostname) {
+    return end(hostname) != std::find(begin(hostname), end(hostname), '/');
+}
+
 const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
     transport::Session::declareDecoration<SSLPeerInfo>();
 
@@ -1415,7 +1427,7 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManager::parseAndValidatePeerCertifi
         msgBuilder << "The server certificate does not match the host name. Hostname: "
                    << remoteHost << " does not match " << certificateNames.str();
         std::string msg = msgBuilder.str();
-        if (_allowInvalidCertificates || _allowInvalidHostnames) {
+        if (_allowInvalidCertificates || _allowInvalidHostnames || isUnixDomainSocket(remoteHost)) {
             warning() << msg;
         } else {
             error() << msg;
-- 
cgit v1.2.1