SSL Certificate Validation & Handling Security Improved

As of MongoChef 4.5, we added support for MongoDB 3.4. The introduction of the 3.4 MongoDB driver has brought about quite a few bugfixes and changes one of which is an upgrade on the security of SSL certificate handling.

MongoChef will make sure that the certificate presented by the server indeed belongs to the server. The SSL/TLS protocol is now more strictly adhered to.

In order to download the latest MongoChef, choose the appropriate link below:

However…

… some SSL connections may now fail to work if not properly configured.

Each certificate protects a specific entity stated in the Subject Name field (CN) in the certificate – see https://support.dnsimple.com/articles/what-is-common-name/. Such a common name represents the entity protected by the SSL certificate. The certificate is valid only if the requested hostname matches the certificate’s common name.

If this is not the case, MongoChef will now by default not allow the connection.

SSL Connection Issues

If you are having problems connecting, it may be that you are connecting to a MongoDB server by IP (and not by CN) which is different than the CN. The protocol looks for alternative names that may match that IP address xx.xx.xx.xx but none is found. As a result, an error like “CertificateException: No subject alternative names present” is given.

A way to test this is to connect by name rather than IP: e.g. “my-ssl-mongod.server.com” instead of the IP “xx.xx.xxx.xx”. You have to make sure that this name resolves to the correct IP. If the local DNS does not do this it will have to be entered in the local OS’ hosts file – e.g. /etc/hosts in unix systems.

Another reason the connection may not be working anymore is that the server’s certificate (and/or the PEM client key file you are using – if any) is invalid. This is usually due to the use of a certificate which was not generated with a proper CN. Note that this may also mean that you are the target of a MITM (man-in-the-middle) attack.

How to Override

For our users’ convenience, we have added a new SSL option in the latest MongoChef 4.5.2 release. It will set your connection to also allow invalid hostnames which will emulate the connection behavior of MongoChef 4.4.x.

SSL Allow Invalid Hostnames