Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 9.0.0-rc0, 8.3.3
Affects Version/s: None
Component/s: None
Labels:
None

Assigned Teams:

Server Security
Backwards Compatibility:
Fully Compatible
Backport Requested:

v8.3
Sprint:
Server Security 2026-05-08
Case:
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

See https://docs.google.com/document/d/1V9GE97DDrpiDSWdI6dPPy1mQGiWwfEwSViPewMlrwn4/edit?tab=t.0#heading=h.177fzfbof7mt for additional context on Egress gRPC for Search

------------------------------

There is an open issue on the gRPC library (https://github.com/grpc/grpc/issues/14216) indicating the lack of support for cert (private key PEM file) passwords.

We would need to add upstream support to gRPC for certificate passwords:

Add an option to pass this to the public API here: https://github.com/grpc/grpc/blob/4943b77a5e497a83beedc6b23b760d8193baa126/include/grpc/credentials.h#L400-L460
Plumb this down to the SSL handshaking code in gRPC
Update the PEM private key reader in gRPC to use a passwork callback: https://github.com/grpc/grpc/blob/4943b77a5e497a83beedc6b23b760d8193baa126/src/core/tsi/ssl_transport_security.cc#L1008
See https://docs.openssl.org/3.3/man3/PEM_read_bio_PrivateKey/#synopsis

And also ensure our local certificate check properly uses the certificate password as well: https://github.com/10gen/mongo/blob/1a49046d343f0cf1e154ecac5654fb8f7030a094/src/mongo/transport/grpc/client.cpp#L683

related to

SERVER-126149 Remove SSLManagerInterface::decryptPEMKey when gRPC supports encrypted private keys

Backlog

Assignee:: Sam Frank
Reporter:: Adam Rayner
Participants:: Adam Rayner, Githook User, Sam Frank
Votes:: 1 Vote for this issue
Watchers:: 9 Start watching this issue

Created:: May 01 2026 09:27:45 PM UTC
Updated:: May 14 2026 10:00:23 PM UTC
Resolved:: May 07 2026 08:22:54 PM UTC