Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-43085

Regenerate all testing certificates with SHA-256 instead of SHA-1

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.16, 4.3.1, 3.4.24, 4.2.2, 4.0.14
    • Component/s: None
    • Labels:
      None
    • Environment:
      Debian GNU/Linux bullseye, openssl v1.1.1c
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v4.2, v4.0, v3.6, v3.4
    • Sprint:
      Security 2019-10-07, Security 2019-10-21, Security 2019-11-04
    • Linked BF Score:
      40

      Description

      On certain newer implementations of openssl, such as the one currently on Debian's testing branch, SHA-1 as the digest algorithm in certificates is rejected by the default OpenSSL config because it is deprecated. There is a workaround to fix it, but it seems to be a not-very-safe thing to do for anything else on the system using OpenSSL, and it would probably just be better to update the certificates we use for testing to SHA-256 instead.

      This causes test failures. I discovered when testing kmip.js on my system, which failed with

      cannot read certificate file: src/mongo/db/modules/enterprise/jstests/encryptdb/libs/client_password_protected.pem error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
      

      See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for context

        Attachments

          Activity

            People

            Assignee:
            sara.golemon Sara Golemon
            Reporter:
            adam.cooper Adam Cooper
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: