-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Minor - P4
-
None
-
Affects Version/s: 8.0.4
-
Component/s: None
-
Environment:Windows 10
-
ALL
-
None
-
3
-
TBD
-
None
-
None
-
None
-
None
-
None
-
None
-
0
In Client Certificate Requirements you say:
- Client certificates must contain the following fields:
keyUsage = digitalSignature extendedKeyUsage = clientAuth
However, it is possible to authenticate as client, even when extendedKeyUsage = clientAuth is not set:
openssl x509 -in client.admin.pem -noout -subject -ext extendedKeyUsage,keyUsage subject=CN=admin X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication mongosh --norc "mongodb://localhost:27017/admin?&authSource=$external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem" Current Mongosh Log ID: 683d48312178c488a76c4bcf Connecting to: mongodb://localhost:27017/admin?authSource=%24external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.1 Using MongoDB: 8.0.4 Using Mongosh: 2.5.1 admin> db.runCommand({ connectionStatus: 1 }).authInfo { authenticatedUsers: [ { user: 'CN=admin', db: '$external' } ], authenticatedUserRoles: [ { role: 'root', db: 'admin' } ] }
In my understanding, authentication should fail, because extendedKeyUsage = clientAuth is missing.
The same problem applies for server certificate.
openssl x509 -in mongo.server.pem -noout -subject -ext extendedKeyUsage,keyUsage subject=C=CH, O=Sunrise, OU=OSS, OU=MongoDB, CN=server X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Client Authentication mongod --tlsCertificateKeyFile mongo.server.pem -> successfully started
In my understanding, mongod should not start, because extendedKeyUsage = serverAuth is missing in the certificate.