[SERVER-35196] Unable to X.509 authenticate using a client certificate with a subjectAltName component - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 4.0.0-rc0
Fix Version/s: 4.0.0-rc3, 4.1.1
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Steps To Reproduce:

Hide

Generate appropriate PEM keyfiles. Have the subject for your client certificate include a subjectAltName component

Start mongod

Insert user with the username matching the client certificate subject.

Connect to the mongod using the client certificate and try to authenticate using X.509 auth.

Show
Generate appropriate PEM keyfiles. Have the subject for your client certificate include a subjectAltName component Start mongod Insert user with the username matching the client certificate subject. Connect to the mongod using the client certificate and try to authenticate using X.509 auth.
Sprint:
Platforms 2018-06-18

Description

I believe this is a regression introduced in 4.0.0-rc0. The same automated test of ours that triggered this did not have this problem with 3.7.9. I have seen this happen on Amazon Linux and macOS.

Basically, if I have a PEM key file with a certificate with a subjectAltName component:

$ openssl x509 -in /tmp/mms-automation/test/output/certificates/pem-967246847 -inform PEM -subject -nameopt RFC2253

subject= subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan

And that user exists on the mongod:

MongoDB Enterprise csrs:PRIMARY> db.system.users.find({})

{ "_id" : "$external.subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "user" : "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "db" : "$external", "credentials" : { "external" : true }, "roles" : [ { "role" : "backup", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "restore", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }

This is what happens when I try to authenticate:

$ /tmp/mms-automation/test/versions/mongodb-linux-x86_64-enterprise-amzn64-4.0.0-rc0/bin/mongo --ssl --sslCAFile /tmp/mms-automation/test/output/certificates/mmsCA.pem --sslPEMKeyFile /tmp/mms-automation/test/output/certificates/pem-967246847 `hostname -f`:9007

MongoDB shell version v4.0.0-rc0

connecting to: mongodb://ip-10-113-168-251.ec2.internal:9007/test

MongoDB server version: 4.0.0-rc0

MongoDB Enterprise csrs:PRIMARY> use $external

switched to db $external

MongoDB Enterprise csrs:PRIMARY> db.auth({mechanism: "MONGODB-X509", user: "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"})

Error: Username "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan" does not match the provided client certificate user "2.5.29.17=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"

Attachments

Activity

People

Assignee:: Sara Golemon

Reporter:: Timothy Olsen

Participants:: Githook User, Sara Golemon, Timothy Olsen

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: May 23 2018 08:26:18 PM UTC

Updated:: Jun 06 2018 02:43:38 PM UTC

Resolved:: Jun 06 2018 02:01:22 AM UTC