The C driver evergreen project tests auth with x509 against ldaptest.10gen.cc, using certificates referenced in this wiki page
https://wiki.corp.mongodb.com/display/DRIVERS/Testing+x.509.
AFAIK no other drivers are testing x509 auth against ldaptest, but our auth tests are failing on rhel80 due to the weak crypto in those certs.
Copying from Roberto Sanchez's comment in CDRIVER-2940, the authentication task connects like so:
[2019/09/23 22:47:21.881] + echo 'Authenticating using X.509'
[2019/09/23 22:47:21.881] + ./src/libmongoc/mongoc-ping 'mongodb://CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US@ldaptest.10gen.cc/?ssl=true&authMechanism=MONGODB-X509&sslClientCertificateKeyFile=src/libmongoc/tests/x509gen/legacy-x509.pem&sslCertificateAuthorityFile=src/libmongoc/tests/x509gen/legacy-ca.crt&sslAllowInvalidHostnames=true&connectTimeoutMS=30000&serverSelectionTryOnce=false'
[2019/09/23 22:47:51.438] Ping failure: No suitable servers found: `serverselectiontimeoutms` timed out: [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed calling ismaster on 'ldaptest.10gen.cc:27017']
[2019/09/23 22:47:51.439] OpenSSL 1.1.1 FIPS 11 Sep 2018
Authenticating using X.509
[2019/09/23 22:47:51.439] Command failed: command encountered problem: exit status 3
There is a long-open BUILD ticket to regenerate those certs here in BUILD-2782. But I believe testing x509 against ldaptest.10gen.cc does not give us additional coverage. We test x509 as part of our normal auth tests (our orchestration files use the certs referenced in DRIVERS-575, which all other drivers use).
Let's verify that testing against ldaptest.10gen.cc really does not give us any benefit, and then remove those tests.
- related to
-
CDRIVER-2940 Regenerate test certificates with SHA256 signatures
- Closed