Details
Description
I believe this is a regression introduced in 4.0.0-rc0. The same automated test of ours that triggered this did not have this problem with 3.7.9. I have seen this happen on Amazon Linux and macOS.
Basically, if I have a PEM key file with a certificate with a subjectAltName component:
$ openssl x509 -in /tmp/mms-automation/test/output/certificates/pem-967246847 -inform PEM -subject -nameopt RFC2253
|
subject= subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan
|
And that user exists on the mongod:
MongoDB Enterprise csrs:PRIMARY> db.system.users.find({})
|
{ "_id" : "$external.subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "user" : "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "db" : "$external", "credentials" : { "external" : true }, "roles" : [ { "role" : "backup", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "restore", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
|
This is what happens when I try to authenticate:
$ /tmp/mms-automation/test/versions/mongodb-linux-x86_64-enterprise-amzn64-4.0.0-rc0/bin/mongo --ssl --sslCAFile /tmp/mms-automation/test/output/certificates/mmsCA.pem --sslPEMKeyFile /tmp/mms-automation/test/output/certificates/pem-967246847 `hostname -f`:9007
|
MongoDB shell version v4.0.0-rc0
|
connecting to: mongodb://ip-10-113-168-251.ec2.internal:9007/test
|
MongoDB server version: 4.0.0-rc0
|
MongoDB Enterprise csrs:PRIMARY> use $external
|
switched to db $external
|
MongoDB Enterprise csrs:PRIMARY> db.auth({mechanism: "MONGODB-X509", user: "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"})
|
Error: Username "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan" does not match the provided client certificate user "2.5.29.17=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"
|
0
|