-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: None
-
Component/s: Authentication
-
Labels:None
What problem are you facing?
The driver is not presenting TLS certificate to the server. As a result X509 authentication cannot be used
What driver and relevant dependency versions are you using?
The following code fails with mongodb@4.0 and newer, but works with mongodb@3.6 & mongodb@3.7
Steps to reproduce?
Install the most recent driver (mongodb@4.1), run the following code (certificates attached):
const { MongoClient } = require("mongodb"); //const MongoClient = require("mongodb").MongoClient; const clusterUrl = "localhost:27017" const authMechanism = "MONGODB-X509"; const username = encodeURIComponent("CN=localClient,OU=10gen,O=TSE,L=Moscow,ST=BO,C=RU"); const clientPEMFile = encodeURIComponent("../data/localClient.pem"); const CAFile = encodeURIComponent("../data/CA.pem"); // Connection URI const uri = `mongodb://${username}@${clusterUrl}/?authMechanism=${authMechanism}&authSource=%24external&tls=true&tlsCertificateKeyFile=${clientPEMFile}&tlsCAFile=${CAFile}`; const client = new MongoClient(uri); // Function to connect to the server async function run() { try { // Connect the client to the server await client.connect(); // Establish and verify connection await client.db("demo-acceptify").command({ ping: 1 }); console.log("Connected successfully to server"); } finally { // Ensures that the client will close when you finish/error await client.close(); } } run().catch(console.dir)
This will yield:
villain@R7:~/WORK/Tools/node$ node run.js
MongoServerError: No verified subject name available from client
at MessageStream.messageHandler (/mnt/h/WORK/Tools/node/node_modules/mongodb/lib/cmap/connection.js:467:30)
at MessageStream.emit (events.js:314:20)
at processIncomingData (/mnt/h/WORK/Tools/node/node_modules/mongodb/lib/cmap/message_stream.js:108:16)
at MessageStream._write (/mnt/h/WORK/Tools/node/node_modules/mongodb/lib/cmap/message_stream.js:28:9)
at writeOrBuffer (_stream_writable.js:352:12)
at MessageStream.Writable.write (_stream_writable.js:303:10)
at TLSSocket.ondata (_stream_readable.js:717:22)
at TLSSocket.emit (events.js:314:20)
at addChunk (_stream_readable.js:307:12)
at readableAddChunk (_stream_readable.js:282:9) {
ok: 0,
code: 18,
codeName: 'AuthenticationFailed'
}
At the same time the server reports that no TLS certificate has been supplied:
{"t":{"$date":"2021-09-09T14:26:33.918+10:00"},"s":"I", "c":"NETWORK", "id":22943, "ctx":"listener","msg":"Connection accepted","attr":{"remote":"127.0.0.1:41624","connectionId":98,"connectionCount":2}}
{"t":{"$date":"2021-09-09T14:26:33.921+10:00"},"s":"W", "c":"NETWORK", "id":23234, "ctx":"conn98","msg":"No SSL certificate provided by peer"}
{"t":{"$date":"2021-09-09T14:26:33.923+10:00"},"s":"I", "c":"NETWORK", "id":51800, "ctx":"conn98","msg":"client metadata","attr":{"remote":"127.0.0.1:41624","client":"conn98","doc":{"driver":{"name":"nodejs","version":"4.1.1"},"os":{"type":"Linux","name":"linux","architecture":"x64","version":"5.10.16.3-microsoft-standard-WSL2"},"platform":"Node.js v14.11.0, LE (unified)|Node.js v14.11.0, LE (unified)"}}}
{"t":{"$date":"2021-09-09T14:26:33.923+10:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn98","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: 1, mechanism: \"MONGODB-X509\", user: \"CN=localClient,OU=10gen,O=TSE,L=Moscow,ST=BO,C=RU\" }"}}
{"t":{"$date":"2021-09-09T14:26:33.924+10:00"},"s":"I", "c":"ACCESS", "id":20427, "ctx":"conn98","msg":"Authenticate","attr":{"db":"$external","command":"{ authenticate: 1, mechanism: \"MONGODB-X509\", user: \"CN=localClient,OU=10gen,O=TSE,L=Moscow,ST=BO,C=RU\", $db: \"$external\" }"}}
- is depended on by
-
MONGOSH-1047 Remove tlsCertificate(Key)File option copying
-
- Closed
-
- is related to
-
-
- Closed
-