Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3370

Provide clearer error when SSL certificates have weak crypto

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Minor - P4 Minor - P4
    • None
    • None
    • tests, tls
    • None

    Description

      In adding a debian10 Evergreen build variant to the C driver I encountered unexpected failures in SSL-related tests. Debian 10 ships with OpenSSL 1.1.1c.

      I dug around this a bit and added a call to "ERR_print_errors_fp (stderr);" just before the driver emits the error message that was displayed, and this is what is on the libssl error stack:

      [2019/09/21 16:09:58.204] 140374663296768:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
      [2019/09/21 16:09:58.204] 2019/09/21 20:09:58.0204: [25219]: ERROR: mongoc: Cannot find certificate in 'src/libmongoc/tests/x509gen/server.pem'

      The solution appears to be certificates with stronger crypto for the SSL-related tests.

      Attachments

        Activity

          People

            Unassigned Unassigned
            roberto.sanchez@mongodb.com Roberto Sanchez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated: