[COMPASS-4105] Support non-standard root ca for SSL Created: 17/Jan/20  Updated: 29/Oct/23  Resolved: 11/Mar/22

Status: Closed
Project: Compass
Component/s: Connectivity, Tech debt
Affects Version/s: None
Fix Version/s: 1.31.0

Type: Investigation Priority: Major - P3
Reporter: Lucas Hrabovsky (Inactive) Assignee: Anna Henningsen
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Cloners
is cloned by MONGOSH-1133 Support non-standard root ca for SSL Closed
Depends
Documented
Related
is related to MONGOSH-1054 --authenticationDatabase not overridi... Closed
Epic Link: COMPASS-5198
Story Points: 5
Documentation Changes: Needed
Documentation Changes Summary:

Similar to https://jira.mongodb.org/browse/DOCSP-21000, Compass now also supports loading certificates from the system certificate store through a checkbox in its connection form UI.

(I don’t know if Compass’s TLS options are documented in general. If not, then I assume this option also doesn’t need to be documented.)

Sprint: Iteration Utica, Iteration Versailles, Iteration Wolverhampton

 Description   

notes

https://www.npmjs.com/package/ssl-root-cas

node-windows-root-certs

https://www.npmjs.com/package/node-windows-root-certs

Enables use of Windows root certificates in nodejs directly, without environment settings or certificate files.

Tested on node 12.10.0

Uses for this module:
In a coporate envionment
If they have a WAF (Web Application Firewall - a man in the middle), the root certificate for the WAF is often installed as a certificate in Windows. NodeJS has now access to this certifcate, and so nodeJS based applications will fail without special measures.

You need to https or tls to a server with a self signed certificate
Enables the root certificate for your server to be added, either by adding in Windows, or manually.

I tried but failed to get this to work in test.js with badssl.com

For 'Older' versions of NodeJS
If the certificates inside NodeJS expire, the application will stop working....

What it does
This module provides two features:

1. reading of the Windows root certificates
A function is provided to read the Windows Root certifcates returning an array similar to node's own rootcertificates array.

2. patching tls
A function is provided which will patch the tls module such that all HTTPS or other tls based secure communication will use the provided certificates - either a complete certificate list or, a list additional to the internal nodeJS list.

Note: if tls is patched AFTER a successful connection to a site, then it's likely that the new/modified certificates will not be used for a subsequent connection, as the connection itself may be cached.

win-ca

https://www.npmjs.com/package/win-ca

Node uses a statically compiled, manually updated, hardcoded list of certificate authorities, rather than relying on the system's trust store... Read more

It's somewhat non-intuitive under any OS, but Windows differs from most of them
by having its own trust store, fully incompatible with [OpenSSL|ttps://github.com/ukoloff/openssl-win-root].

This package is intended to fetch Root CAs from Windows' store (Trusted Root Certification Authorities) and make them available to Node.js application with minimal efforts.



 Comments   
Comment by Githook User [ 16/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105 (#2850)
Branch: COMPASS-5534-toolbar-implementation
https://github.com/mongodb-js/compass/commit/a58edee9ed9bc7d522a2cd6ccdccc45e2407cb67

Comment by Githook User [ 15/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105 (#2850)
Branch: 1.31-releases
https://github.com/mongodb-js/compass/commit/a58edee9ed9bc7d522a2cd6ccdccc45e2407cb67

Comment by Githook User [ 14/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105 (#2850)
Branch: COMPASS-5518-update-workspace-tabs-selection-move
https://github.com/mongodb-js/compass/commit/a58edee9ed9bc7d522a2cd6ccdccc45e2407cb67

Comment by Githook User [ 11/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105 (#2850)
Branch: main
https://github.com/mongodb-js/compass/commit/a58edee9ed9bc7d522a2cd6ccdccc45e2407cb67

Comment by Githook User [ 11/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105
Branch: 4105-dev
https://github.com/mongodb-js/compass/commit/19b4cd00f913fc974dc2315e33484c4e28e87278

Comment by Githook User [ 10/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105
Branch: 4105-dev
https://github.com/mongodb-js/compass/commit/f38cfc211718b851eb22276f8bdc617926fc1096

Comment by Githook User [ 02/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: fix(node-runtime-worker-thread): externalize system-ca and deps COMPASS-4105 (#1221)

In order to be usable in Compass, system-ca and its addon dependencies
need to be externalized in the webpack configuration.

Theoretically, it might be enough to only externalize the addons;
however, since system-ca prefers to use worker threads for loading
certificates asynchronously on macOS and Windows, and we need to
externalize something, it makes sense to do it on the system-ca
level.
Branch: main
https://github.com/mongodb-js/mongosh/commit/9a40e24e5349228e447fbb0b4c78a36093ebff7b

Comment by Githook User [ 02/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: fix(node-runtime-worker-thread): externalize system-ca and deps COMPASS-4105

In order to be usable in Compass, system-ca and its addon dependencies
need to be externalized in the webpack configuration.

Theoretically, it might be enough to only externalize the addons;
however, since system-ca prefers to use worker threads for loading
certificates asynchronously on macOS and Windows, and we need to
externalize something, it makes sense to do it on the system-ca
level.
Branch: 4105-dev-again
https://github.com/mongodb-js/mongosh/commit/5ede91e81ee6861641897d4dfdec7a96f39f827a

Comment by Githook User [ 02/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105
Branch: 4105-dev
https://github.com/mongodb-js/compass/commit/211cfe0130ca3b86e66e2bbee22a0d94ec66efb8

Comment by Githook User [ 01/Mar/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat(connection-form): support system CA store loading COMPASS-4105
Branch: 4105-dev
https://github.com/mongodb-js/compass/commit/ee98179f187f39b4eac7effa0e35b4eb419eeb11

Comment by Githook User [ 22/Feb/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat: add support for --tlsUseSystemCA flag COMPASS-4105 (#1205)
Branch: main
https://github.com/mongodb-js/mongosh/commit/4ebdb0fb46ddb452801a6f99b30d43a1c80ec806

Comment by Githook User [ 22/Feb/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat: add support for --tlsUseSystemCA flag COMPASS-4105
Branch: 4105-dev
https://github.com/mongodb-js/mongosh/commit/022a80e7569c40ff550901a2690451b118c61893

Comment by Githook User [ 21/Feb/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat: add support for --tlsUseSystemCA flag COMPASS-4105
Branch: 4105-dev
https://github.com/mongodb-js/mongosh/commit/69ce7a611da2d252a4a102423a7e7da074739bad

Comment by Githook User [ 17/Feb/22 ]

Author:

{'name': 'Anna Henningsen', 'email': 'anna@addaleax.net', 'username': 'addaleax'}

Message: feat: add support for --tlsUseSystemCA flag COMPASS-4105
Branch: 4105-dev
https://github.com/mongodb-js/mongosh/commit/ef810ad7d13f38751f8843d8786d7c7d3997cff1

Generated at Wed Feb 07 22:35:16 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.