Details
-
Bug
-
Resolution: Fixed
-
Critical
-
6.5.0
Description
Erlang SSL clients don't support wildcards in SAN entries in OTP 20, which is what Couchbase Server currently runs against. See this Erlang ticket https://bugs.erlang.org/browse/ERL-542.
This is a problem since using the common name in the subject field for server identity has long since been deprecated (see https://tools.ietf.org/html/rfc2818#section-3.1) and a DNS SAN entry should be used. Additionally in split-DNS (i.e. cloud) environments using DNS SAN entries is now completely the norm, so this issue rises to the level of node-to-node encryption not working with wildcards.
We should patch our Erlang with this pull request to allow wildcards in SAN entries to work.
Attachments
| For Gerrit Dashboard: MB-37420 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 120213,5 | MB-37420: Match wildcards in subjectAltNames (Erlang) | mad-hatter | tlm | Status: MERGED | +2 | +1 |
| 120342,1 | Merge remote-tracking branch 'origin/mad-hatter' | master | tlm | Status: MERGED | +2 | +1 |
| 121123,3 | MB-37420: Update Erlang version - Windows only | mad-hatter | tlm | Status: MERGED | +2 | +1 |
| 121166,2 | MB-37420: Bump erlang on Windows to -cb10 (built from correct branch) | mad-hatter | tlm | Status: MERGED | +2 | +1 |
| 121168,2 | MB-37420: Typo in manifest.cmake | mad-hatter | tlm | Status: MERGED | +2 | +1 |
| 121169,1 | Merge branch 'mad-hatter' | master | tlm | Status: MERGED | +2 | +1 |
| 129426,1 | [WIP] Use customize_hostname_check to match wildcards | master | ns_server | Status: ABANDONED | 0 | 0 |