[CDRIVER-3370] Provide clearer error when SSL certificates have weak crypto Created: 23/Sep/19  Updated: 10/Feb/23

Status: Backlog
Project: C Driver
Component/s: tests, tls
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Minor - P4
Reporter: Roberto Sanchez Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Epic Link: CDRIVER-4576

 Description   

In adding a debian10 Evergreen build variant to the C driver I encountered unexpected failures in SSL-related tests. Debian 10 ships with OpenSSL 1.1.1c.

I dug around this a bit and added a call to "ERR_print_errors_fp (stderr);" just before the driver emits the error message that was displayed, and this is what is on the libssl error stack:

[2019/09/21 16:09:58.204] 140374663296768:error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak:../ssl/ssl_rsa.c:310:
[2019/09/21 16:09:58.204] 2019/09/21 20:09:58.0204: [25219]: ERROR: mongoc: Cannot find certificate in 'src/libmongoc/tests/x509gen/server.pem'

The solution appears to be certificates with stronger crypto for the SSL-related tests.



 Comments   
Comment by Kevin Albertson [ 23/Sep/19 ]

The error on evergreen was resolved in CDRIVER-2940, but the error message is misleading. Let's update that error message to be more useful and possibly source it from underlying openssl error message.

Generated at Wed Feb 07 21:17:49 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.