Check client->isPossiblyUnauthenticatedInternalClient() in x509_server_conversation

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Major - P3
    • 8.2.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • Server Security
    • Fully Compatible
    • ALL
    • RnD Security 2025-03-03, Security 2025-03-17, Security 2025-03-31, Server Security 2025-06-06
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      During X.509 authentication we raise a warning when a cluster-member certificate is presented but the client hasn't actually declared themselves as internal.  Due to changes from SERVER-90285, the API call `isInternalClient()` no longer returns true for unauthenticated clients, and as this warning is issued from the authentication path (pre-auth), we'll never pass `isInternalClient` and always throw warnings.

      Use the `isPossiblyUnauthenticatedInternalClient()` API instead inside 
      `SaslX509ServerMechanism::stepImpl` in `sasl_x509_server_conversation.cpp`

            Assignee:
            Kat Cheng
            Reporter:
            Sara Golemon (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: