[CDRIVER-2480] (SSL)windows secure Channel doesn't allow pemkeyfile has password Created: 31/Jan/18  Updated: 31/Jan/18  Resolved: 31/Jan/18

Status: Closed
Project: C Driver
Component/s: libmongoc, tls
Affects Version/s: 1.7.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: winnie_quest Assignee: A. Jesse Jiryu Davis
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to CDRIVER-2008 Test X.509 authentication with Secure... Backlog

 Description   

if I compile the c driver with "-DENABLE_SSL=WINDOWS" (windows secure Channel), connection would be failed if the client pem key file has password.
the error info of log:
****************************************************
[error@stream-secure-channel] Failed to parse private key. ASN1 bad tag value me
t.
(0x8009310B)
[warning@stream-secure-channel] a client certificate has been requested
****************************************************

note:
1. I create the private key for the pem file with this command: openssl genrsa -des3 -out server.key 2048 , and then input password : 1234
using mongo.exe , I can connect with the same pem file and password from my own working computer successfully:
mongo --host 10.154.10.39 --ssl --authenticationDatabase admin --username user1 -p 123 --sslCAFile d:/ca.pem --sslPEMKeyFile d:/cry.pem --sslPEMKeyPassword 1234
however, if my program uses the mongocxx driver, always get failed.

2. if I use the driver which is compiled with "-DENABLE_SSL=OPENSSL", this issue dissapears.

3. my c++ program source code:
const auto uri = mongocxx::uri

{ "mongodb://user1:123@10.154.10.39:27017/?authSource=admin&ssl=true" }

;
mongocxx::options::client client_options;
if (uri.ssl())

{ mongocxx::options::ssl ssl_options; ssl_options.pem_file("d:/cry.pem"); ssl_options.pem_password("1234"); ssl_options.ca_file("d:/ca.pem"); client_options.ssl_opts(ssl_options); }

....



 Comments   
Comment by A. Jesse Jiryu Davis [ 31/Jan/18 ]

Apologies, PEM file passwords are not supported with Windows Secure Channel, and it may not be possible to do so:

http://mongoc.org/libmongoc/current/mongoc_ssl_opt_t.html#native-tls-support-on-windows-secure-channel

Generated at Wed Feb 07 21:15:21 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.