Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-4105

Support non-standard root ca for SSL

    • Type: Icon: Investigation Investigation
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.31.0
    • Affects Version/s: None
    • Component/s: Connectivity, Tech debt
    • None
    • 5
    • Iteration Utica, Iteration Versailles, Iteration Wolverhampton
    • Needed
    • Hide

      Similar to https://jira.mongodb.org/browse/DOCSP-21000, Compass now also supports loading certificates from the system certificate store through a checkbox in its connection form UI.

      (I don’t know if Compass’s TLS options are documented in general. If not, then I assume this option also doesn’t need to be documented.)

      Show
      Similar to https://jira.mongodb.org/browse/DOCSP-21000 , Compass now also supports loading certificates from the system certificate store through a checkbox in its connection form UI. (I don’t know if Compass’s TLS options are documented in general. If not, then I assume this option also doesn’t need to be documented.)

      notes

      https://www.npmjs.com/package/ssl-root-cas

      node-windows-root-certs

      https://www.npmjs.com/package/node-windows-root-certs

      Enables use of Windows root certificates in nodejs directly, without environment settings or certificate files.

      Tested on node 12.10.0

      Uses for this module:
      In a coporate envionment
      If they have a WAF (Web Application Firewall - a man in the middle), the root certificate for the WAF is often installed as a certificate in Windows. NodeJS has now access to this certifcate, and so nodeJS based applications will fail without special measures.

      You need to https or tls to a server with a self signed certificate
      Enables the root certificate for your server to be added, either by adding in Windows, or manually.

      I tried but failed to get this to work in test.js with badssl.com

      For 'Older' versions of NodeJS
      If the certificates inside NodeJS expire, the application will stop working....

      What it does
      This module provides two features:

      1. reading of the Windows root certificates
      A function is provided to read the Windows Root certifcates returning an array similar to node's own rootcertificates array.

      2. patching tls
      A function is provided which will patch the tls module such that all HTTPS or other tls based secure communication will use the provided certificates - either a complete certificate list or, a list additional to the internal nodeJS list.

      Note: if tls is patched AFTER a successful connection to a site, then it's likely that the new/modified certificates will not be used for a subsequent connection, as the connection itself may be cached.

      win-ca

      https://www.npmjs.com/package/win-ca

      Node uses a statically compiled, manually updated, hardcoded list of certificate authorities, rather than relying on the system's trust store... Read more

      It's somewhat non-intuitive under any OS, but Windows differs from most of them
      by having its own trust store, fully incompatible with [OpenSSL|ttps://github.com/ukoloff/openssl-win-root].

      This package is intended to fetch Root CAs from Windows' store (Trusted Root Certification Authorities) and make them available to Node.js application with minimal efforts.

            Assignee:
            anna.henningsen@mongodb.com Anna Henningsen
            Reporter:
            lucas.hrabovsky Lucas Hrabovsky (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: