Details
-
Bug
-
Resolution: Fixed
-
Critical
-
6.5.0
Description
Erlang SSL clients don't support wildcards in SAN entries in OTP 20, which is what Couchbase Server currently runs against. See this Erlang ticket https://bugs.erlang.org/browse/ERL-542.
This is a problem since using the common name in the subject field for server identity has long since been deprecated (see https://tools.ietf.org/html/rfc2818#section-3.1) and a DNS SAN entry should be used. Additionally in split-DNS (i.e. cloud) environments using DNS SAN entries is now completely the norm, so this issue rises to the level of node-to-node encryption not working with wildcards.
We should patch our Erlang with this pull request to allow wildcards in SAN entries to work.