[CSHARP-1911] Certificate use clarification Created: 09/Feb/17  Updated: 05/Apr/19  Resolved: 02/Mar/17

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: 2.3.0-beta1, 2.3, 2.4, 2.4.1, 2.4.2
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Alex Dawes Assignee: Robert Stam
Resolution: Done Votes: 0
Labels: question
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Hi,

I think I have identified a bug in the use of X509Certificate2 certificates in the C# driver (not a security flaw but it does break the driver when using pfx certificates), specifically in the way certificates are cloned in memory. Before I submit a bug report and fix via a PR, I just wanted to make sure I understand the code.

Specifically, in the documentation there is the following: http://mongodb.github.io/mongo-csharp-driver/2.2/reference/driver/ssl/
IMPORTANT
It is imperative that when loading a certificate with a password, the PrivateKey property not be null. If the property is null, it means that your certificate does not contain the private key and will not be passed to the server.

Can you please clarify this for me? I am confused as to why the above only seems to apply when you are using a password on the certificate - is it not possible to create a certificate with public key and private key but without a password, and if so in this case is the private key not required in the client?

Thanks,
Alex



 Comments   
Comment by Alex Dawes [ 10/Feb/17 ]

Bug ticket created at https://jira.mongodb.org/browse/CSHARP-1914

Comment by Alex Dawes [ 09/Feb/17 ]

We use certificates with passwords, and having upgraded from 2.2.3 to 2.4.1 a few days ago we immediately saw connection problems on mongo clusters with auth handled by certificates. On the client side we saw timeout messages when trying to connect and the mongo logs were suggesting that the SSL certificates were missing.

Apologies for the vagueness of this - I'm on my mobile at the moment, and will post the actual error messages when I get back to my computer.

My debugging fits well with what you wrote above - I believe the private keys are being dropped from the certs as they are being added to the SslSettings object due to a bug in the CloneCertificate method. Again I will post a more thorough bug report and PR for a fix when I am back at my computer.

Alex

Comment by Craig Wilson [ 09/Feb/17 ]

All the comment is noting is that if you load up a certificate and there isn't a private key, then it won't send the certificate. If there isn't a password, this shouldn't be a problem and the private key will simply get loaded as part of the construction of an X509Certificate2. However, if the certificate is password protected, then it will silently not load the private key.. Hence the warning.

Perhaps you could indicate what issue you are having in practice.

Generated at Wed Feb 07 21:41:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.