Provide clearer error when SSL certificates have weak crypto

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Unresolved
    • Priority: Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Testing, tls
    • Not Needed
    • 🔵 Done
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?
    • None
    • None
    • None
    • None
    • None
    • None

      In adding a debian10 Evergreen build variant to the C driver I encountered unexpected failures in SSL-related tests. Debian 10 ships with OpenSSL 1.1.1c.

      I dug around this a bit and added a call to "ERR_print_errors_fp (stderr);" just before the driver emits the error message that was displayed, and this is what is on the libssl error stack:

      [2019/09/21 16:09:58.204] 140374663296768:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
      [2019/09/21 16:09:58.204] 2019/09/21 20:09:58.0204: [25219]: ERROR: mongoc: Cannot find certificate in 'src/libmongoc/tests/x509gen/server.pem'

      The solution appears to be certificates with stronger crypto for the SSL-related tests.

            Assignee:
            Unassigned
            Reporter:
            Roberto Sanchez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: