Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-37420

Support node-to-node encryption with wildcard certs in SAN entries

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 6.5.0
    • Fix Version/s: 6.5.1
    • Component/s: build, ns_server
    • Labels:

      Description

      Erlang SSL clients don't support wildcards in SAN entries in OTP 20, which is what Couchbase Server currently runs against. See this Erlang ticket https://bugs.erlang.org/browse/ERL-542.

      This is a problem since using the common name in the subject field for server identity has long since been deprecated (see https://tools.ietf.org/html/rfc2818#section-3.1) and a DNS SAN entry should be used. Additionally in split-DNS (i.e. cloud) environments using DNS SAN entries is now completely the norm, so this issue rises to the level of node-to-node encryption not working with wildcards.

      We should patch our Erlang with this pull request to allow wildcards in SAN entries to work.

        Attachments

          Issue Links

          For Gerrit Dashboard: MB-37420
          # Subject Branch Project Status CR V

            Activity

            Hide
            ritam.sharma Ritam Sharma added a comment -

            Test have been automated and wild card entries in san are done. Need to check this with windows platform.

            Show
            ritam.sharma Ritam Sharma added a comment - Test have been automated and wild card entries in san are done. Need to check this with windows platform.
            Hide
            build-team Couchbase Build Team added a comment -

            Build couchbase-server-1006.5.1-1125 contains tlm commit ee014a4 with commit message:
            MB-37420: Typo in manifest.cmake

            Show
            build-team Couchbase Build Team added a comment - Build couchbase-server-1006.5.1-1125 contains tlm commit ee014a4 with commit message: MB-37420 : Typo in manifest.cmake
            Hide
            build-team Couchbase Build Team added a comment -

            Build couchbase-server-1006.5.1-1125 contains tlm commit be8046c with commit message:
            MB-37420: Bump erlang on Windows to -cb10 (built from correct branch)

            Show
            build-team Couchbase Build Team added a comment - Build couchbase-server-1006.5.1-1125 contains tlm commit be8046c with commit message: MB-37420 : Bump erlang on Windows to -cb10 (built from correct branch)
            Hide
            build-team Couchbase Build Team added a comment -

            Build couchbase-server-1006.5.1-1125 contains tlm commit 6e65df4 with commit message:
            MB-37420: Update Erlang version - Windows only

            Show
            build-team Couchbase Build Team added a comment - Build couchbase-server-1006.5.1-1125 contains tlm commit 6e65df4 with commit message: MB-37420 : Update Erlang version - Windows only
            Hide
            build-team Couchbase Build Team added a comment -

            Build couchbase-server-1006.5.1-1125 contains tlm commit c800374 with commit message:
            MB-37420: Match wildcards in subjectAltNames (Erlang)

            Show
            build-team Couchbase Build Team added a comment - Build couchbase-server-1006.5.1-1125 contains tlm commit c800374 with commit message: MB-37420 : Match wildcards in subjectAltNames (Erlang)

              People

              Assignee:
              ritam.sharma Ritam Sharma
              Reporter:
              dfinlay Dave Finlay
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Gerrit Reviews

                    PagerDuty