-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Minor - P4
-
None
-
Affects Version/s: 8.0.4
-
Component/s: None
-
Environment:Windows 10
-
ALL
-
None
-
3
-
TBD
-
None
-
None
-
None
-
None
-
None
-
None
-
0
In Client Certificate Requirements you say:
- Client certificates must contain the following fields:
keyUsage = digitalSignature extendedKeyUsage = clientAuth
However, it is possible to authenticate as client, even when extendedKeyUsage = clientAuth is not set:
openssl x509 -in client.admin.pem -noout -subject -ext extendedKeyUsage,keyUsage
subject=CN=admin
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
mongosh --norc "mongodb://localhost:27017/admin?&authSource=$external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem"
Current Mongosh Log ID: 683d48312178c488a76c4bcf
Connecting to: mongodb://localhost:27017/admin?authSource=%24external&authMechanism=MONGODB-X509&tls=true&tlsCertificateKeyFile=client.admin.pem&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.5.1
Using MongoDB: 8.0.4
Using Mongosh: 2.5.1
admin> db.runCommand({ connectionStatus: 1 }).authInfo
{
authenticatedUsers: [ { user: 'CN=admin', db: '$external' } ],
authenticatedUserRoles: [ { role: 'root', db: 'admin' } ]
}
In my understanding, authentication should fail, because extendedKeyUsage = clientAuth is missing.
The same problem applies for server certificate.
openssl x509 -in mongo.server.pem -noout -subject -ext extendedKeyUsage,keyUsage
subject=C=CH, O=Sunrise, OU=OSS, OU=MongoDB, CN=server
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Client Authentication
mongod --tlsCertificateKeyFile mongo.server.pem
-> successfully started
In my understanding, mongod should not start, because extendedKeyUsage = serverAuth is missing in the certificate.