Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-3370

Provide clearer error when SSL certificates have weak crypto

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Testing, tls
    • Labels:
      None

      In adding a debian10 Evergreen build variant to the C driver I encountered unexpected failures in SSL-related tests. Debian 10 ships with OpenSSL 1.1.1c.

      I dug around this a bit and added a call to "ERR_print_errors_fp (stderr);" just before the driver emits the error message that was displayed, and this is what is on the libssl error stack:

      [2019/09/21 16:09:58.204] 140374663296768:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
      [2019/09/21 16:09:58.204] 2019/09/21 20:09:58.0204: [25219]: ERROR: mongoc: Cannot find certificate in 'src/libmongoc/tests/x509gen/server.pem'

      The solution appears to be certificates with stronger crypto for the SSL-related tests.

            Assignee:
            Unassigned Unassigned
            Reporter:
            roberto.sanchez@mongodb.com Roberto Sanchez
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: