Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Unresolved
Priority: Minor - P4
Fix Version/s: None
Affects Version/s: 8.0.4
Component/s: Security
Labels:
Environment:
Windows 10

Assigned Teams:

Server Security
Operating System:
ALL
Sprint:
Server Security 2025-06-20, Server Security 2025-07-04
Confidence Status:
None
Work Order:
3
Size Category:
TBD

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Estimated Weeks:
0

In Client Certificate Requirements you say:

Client certificates must contain the following fields:

keyUsage = digitalSignature
extendedKeyUsage = clientAuth

However, it is possible to authenticate as client, even when extendedKeyUsage = clientAuth is not set:

openssl x509 -in client.admin.pem -noout -subject -ext extendedKeyUsage,keyUsage

subject=CN=admin
X509v3 Key Usage:
    Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
    TLS Web Server Authentication


mongosh --norc "mongodb://localhost:27017/admin?&authSource=$external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem"

Current Mongosh Log ID: 683d48312178c488a76c4bcf
Connecting to:          mongodb://localhost:27017/admin?authSource=%24external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.1
Using MongoDB:          8.0.4
Using Mongosh:          2.5.1

admin> db.runCommand({ connectionStatus: 1 }).authInfo
{
  authenticatedUsers: [ { user: 'CN=admin', db: '$external' } ],
  authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}

In my understanding, authentication should fail, because extendedKeyUsage = clientAuth is missing.

The same problem applies for server certificate.

openssl x509 -in mongo.server.pem -noout -subject -ext extendedKeyUsage,keyUsage

subject=C=CH, O=Sunrise, OU=OSS, OU=MongoDB, CN=server
X509v3 Key Usage:
    Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
    TLS Web Client Authentication

mongod --tlsCertificateKeyFile mongo.server.pem
->  successfully started

In my understanding, mongod should not start, because extendedKeyUsage = serverAuth is missing in the certificate.

related to

SERVER-63222 Probe expectations of the X509 extension extendedKeyUsage field

Backlog

Assignee:: Adam Rayner
Reporter:: Wernfried Domscheit
Participants:: Adam Rayner, Kenan Ali, Wernfried Domscheit
Votes:: 0 Vote for this issue
Watchers:: 7 Start watching this issue

Created:: Jun 02 2025 07:08:21 AM UTC
Updated:: Jun 23 2025 04:25:42 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates