Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-55154

[BP 7.2.0] Improve server certificate validation (validate SAN)

    XMLWordPrintable

Details

    • Untriaged
    • 1
    • Unknown

    Description

      Currently ns_server doesn't validate the SAN extensions when server certificate is being uploaded. This allows users to upload certificates that have SANs that don't match the node name, which later leads to misunderstanding when customers are trying to turn on encryption or to add new nodes. Ideally we should not let users to upload that kind of certificates.

      Note that implementation is not that obvious because certificates can be uploaded before node initialization, when node name can still be changed. This scenario needs to be taken care of.

      This validation should be turned on by default, but should be configurable (so there should be at least a diag/eval to turn it off).

      Attachments

        Issue Links

          is a backport of

          Bug - A problem which impairs or prevents the functions of the product. MB-53537 Improve server certificate validation (validate SAN)

          • Major - Major loss of function.
          • Closed
          relates to

          Task - A task that needs to be done. DOC-10904 Add docs for Improved server certificate (SAN) validation

          • Major - Major loss of function.
          • Closed
          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            People

              shaazin.sheikh Shaazin Sheikh
              Abhijeeth.Nuthan Abhijeeth Nuthan
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  There are no open Gerrit changes

                  PagerDuty