Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39202

Improve deterministic calculation of key container names

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 4.0.5, 4.1.7
    • Fix Version/s: 4.0.7, 4.1.8
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v4.0
    • Sprint:
      Security 2019-02-11

      Description

      When Windows mongo servers use a log file, they use that log file to calculate the private key container name. Unfortunately, if two private keys are loaded in the same key container, then SChannel will use the wrong private key for signing in the server key exchange.

      To fix this, we need to use a unique deterministic calculation for all key containers. The simplest solution is to append an incrementing integer to uniquify the key containers. This ensures the key container names are unique without leaking an unbounded number on each restart.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: