Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34831

Unable to use a client certificate with emailAddress field on OS X

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.0-rc0
    • Affects Version/s: 3.7.9
    • Component/s: Security
    • None
    • Fully Compatible
    • ALL
    • Hide

      Generate CA and server PEM key files using 10gen x509gen.

      The client PEM key file you will need to generate manually because 10gen x509gen does not support the emailAddress field.

      $ openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj '/CN=userWithEmail/OU=MMSAutomationClient/O=MongoDB/L=NewYorkCity/ST=NewYork/C=US/emailAddress=user@mongodb.com'
      $ openssl x509 -req -CA ca.pem -CAkey ca.pem -in client.csr -out client.cert -CAserial serial -CAcreateserial
      $ cat client.cert client.key > client.pem
      

      Note that I am using OpenSSL 1.0.2n

      Then start mongod:

      mongod --dbpath=db1 --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem
      

      And try to run the mongo shell:

      mongo --ssl --sslCAFile ca.pem --sslPEMKeyFile client.pem
      Failed global initialization: InvalidSSLConfiguration Unknown OID: 0x7FCA5FD249A0
      
      Show
      Generate CA and server PEM key files using 10gen x509gen . The client PEM key file you will need to generate manually because 10gen x509gen does not support the emailAddress field. $ openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj '/CN=userWithEmail/OU=MMSAutomationClient/O=MongoDB/L=NewYorkCity/ST=NewYork/C=US/emailAddress=user@mongodb.com' $ openssl x509 -req -CA ca.pem -CAkey ca.pem -in client.csr -out client.cert -CAserial serial -CAcreateserial $ cat client.cert client.key > client.pem Note that I am using OpenSSL 1.0.2n Then start mongod: mongod --dbpath=db1 --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem And try to run the mongo shell: mongo --ssl --sslCAFile ca.pem --sslPEMKeyFile client.pem Failed global initialization: InvalidSSLConfiguration Unknown OID: 0x7FCA5FD249A0
    • Platforms 2018-05-07

      I am unable to use a client certificate with an emailAddress field with MongoDB 3.7.9 Enterprise on OS X. If I try to use it using the mongo shell the shell returns:

      Failed global initialization: InvalidSSLConfiguration Unknown OID: 0x7FCA5FD249A0
      

      If I try to connect using the mgo driver the driver hangs (it keeps retrying to connect) and mongod logs:

      2018-05-03T16:24:22.792-0400 I NETWORK  [conn24] Error receiving request from client: InvalidSSLConfiguration: Unknown OID: 0x7FFDF2913A40. Ending connection from 10.4.110.43:55478 (connection id: 24)
      

      I've only noticed this on OS X. Other OS's appear to not have this problem.

        1. server.pem
          3 kB
        2. client.pem
          3 kB
        3. ca.pem
          3 kB

            Assignee:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Reporter:
            tim.olsen@mongodb.com Timothy Olsen (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: