Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39202

Improve deterministic calculation of key container names

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.7, 4.1.8
    • Affects Version/s: 4.0.5, 4.1.7
    • Component/s: Security
    • Labels:
    • Fully Compatible
    • ALL
    • v4.0
    • Security 2019-02-11

      When Windows mongo servers use a log file, they use that log file to calculate the private key container name. Unfortunately, if two private keys are loaded in the same key container, then SChannel will use the wrong private key for signing in the server key exchange.

      To fix this, we need to use a unique deterministic calculation for all key containers. The simplest solution is to append an incrementing integer to uniquify the key containers. This ensures the key container names are unique without leaking an unbounded number on each restart.

            mark.benvenuto@mongodb.com Mark Benvenuto
            mark.benvenuto@mongodb.com Mark Benvenuto
            0 Vote for this issue
            4 Start watching this issue