Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-36619

Test that ECDSA certificates can be loaded by OpenSSL on Linux

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 4.1.5
    • None
    • Security
    • None
    • Fully Compatible
    • Security 2018-11-05

    Description

      ECDHE based cipher suites tend to be slower than non-Forward Secrecy preserving variants. The mitigation for this is to deploy certificates containing ECDSA keys(preferably themselves signed by a CA with ECDSA). Because ECDSA is significantly faster than RSA, this results in comparable performance.

      We should generate an ECDSA certificate with OpenSSL, check it in into jstests/libs(with instructions describing how to regenerate it), and write a JSTest which validates that we can use it as an tlsPEMKeyFile. If any platforms fail to load the certificate, we should bake that information into the test.

      Attachments

        Activity

          People

            patrick.freed@mongodb.com Patrick Freed
            greg.mckeon@mongodb.com Gregory McKeon (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: