Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43085

Regenerate all testing certificates with SHA-256 instead of SHA-1

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.6.16, 4.3.1, 3.4.24, 4.2.2, 4.0.14
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Environment:
      Debian GNU/Linux bullseye, openssl v1.1.1c
    • Fully Compatible
    • v4.2, v4.0, v3.6, v3.4
    • Security 2019-10-07, Security 2019-10-21, Security 2019-11-04
    • 40

      On certain newer implementations of openssl, such as the one currently on Debian's testing branch, SHA-1 as the digest algorithm in certificates is rejected by the default OpenSSL config because it is deprecated. There is a workaround to fix it, but it seems to be a not-very-safe thing to do for anything else on the system using OpenSSL, and it would probably just be better to update the certificates we use for testing to SHA-256 instead.

      This causes test failures. I discovered when testing kmip.js on my system, which failed with

      cannot read certificate file: src/mongo/db/modules/enterprise/jstests/encryptdb/libs/client_password_protected.pem error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

      See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for context

            sara.golemon@mongodb.com Sara Golemon
            adam.cooper@mongodb.com Adam Cooper (Inactive)
            0 Vote for this issue
            7 Start watching this issue