-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
Server Security
-
ALL
-
Security 2025-02-17
-
2
Our SSLManager implementation will use the system certificate if no CA file is specified: https://github.com/10gen/mongo/blob/4ca59a150226875c1a96a4dbabb9a55a0a246cf9/src/mongo/util/net/ssl_manager_openssl.cpp#L3043
However, our gRPC implementation does not do this-- here is a unit test demonstrating this:
TEST_F(GRPCClientTest, GRPCClientConnectSystemCA) {
std::string sslCertFileOriginalEnv("");
if (auto res = getenv("SSL_CERT_FILE"); res != nullptr) {
sslCertFileOriginalEnv = std::string(res);
}
ON_BLOCK_EXIT([&]() { setenv("SSL_CERT_FILE", sslCertFileOriginalEnv.c_str(), 1); });
setenv("SSL_CERT_FILE", CommandServiceTestFixtures::kCAFile, 1);
auto options = CommandServiceTestFixtures::makeServerOptions();
auto clientThreadBody = [&](auto& server, auto& monitor) {
GRPCClient::Options options;
options.tlsCertificateKeyFile = CommandServiceTestFixtures::kClientCertificateKeyFile;
auto client = makeClient(std::move(options));
client->start();
auto session = client
->connect(server.getListeningAddresses().at(0),
getReactor(),
CommandServiceTestFixtures::kDefaultConnectTimeout,
{})
.get();
assertEchoSucceeds(*session);
ASSERT_OK(session->finish());
};
CommandServiceTestFixtures::runWithServer(
CommandServiceTestFixtures::makeEchoHandler(), clientThreadBody, std::move(options));
}
We should ask the gRPC team is this is a supported feature, and otherwise clearly reject this certificate setup in gRPC without blocking ASIO from using this setup.