Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39202

Improve deterministic calculation of key container names

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • 4.0.5, 4.1.7
    • 4.0.7, 4.1.8
    • Security
    • None
    • Fully Compatible
    • ALL
    • v4.0
    • Security 2019-02-11

    Description

      When Windows mongo servers use a log file, they use that log file to calculate the private key container name. Unfortunately, if two private keys are loaded in the same key container, then SChannel will use the wrong private key for signing in the server key exchange.

      To fix this, we need to use a unique deterministic calculation for all key containers. The simplest solution is to append an incrementing integer to uniquify the key containers. This ensures the key container names are unique without leaking an unbounded number on each restart.

      Attachments

        Activity

          People

            mark.benvenuto@mongodb.com Mark Benvenuto
            mark.benvenuto@mongodb.com Mark Benvenuto
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: