[SERVER-43085] Regenerate all testing certificates with SHA-256 instead of SHA-1 - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.6.16, 4.3.1, 3.4.24, 4.2.2, 4.0.14
Component/s: None
Labels:
None
Environment:
Debian GNU/Linux bullseye, openssl v1.1.1c

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.2, v4.0, v3.6, v3.4
Sprint:
Security 2019-10-07, Security 2019-10-21, Security 2019-11-04
Linked BF Score:
40

Description

On certain newer implementations of openssl, such as the one currently on Debian's testing branch, SHA-1 as the digest algorithm in certificates is rejected by the default OpenSSL config because it is deprecated. There is a workaround to fix it, but it seems to be a not-very-safe thing to do for anything else on the system using OpenSSL, and it would probably just be better to update the certificates we use for testing to SHA-256 instead.

This causes test failures. I discovered when testing kmip.js on my system, which failed with

cannot read certificate file: src/mongo/db/modules/enterprise/jstests/encryptdb/libs/client_password_protected.pem error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for context

Attachments

Activity

People

Assignee:: Sara Golemon

Reporter:: Adam Cooper (Inactive)

Participants:: Adam Cooper, Githook User, Sara Golemon

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: Aug 29 2019 03:42:59 PM UTC

Updated:: Nov 14 2019 06:01:50 AM UTC

Resolved:: Oct 23 2019 04:21:36 PM UTC