[DOCS-16020] [TOOLS] correct behavior for multi-certs inside client certificate file Created: 07/Apr/23 Updated: 28/Apr/23 |
|
| Status: | Ready for Work |
| Project: | Documentation |
| Component/s: | tools |
| Affects Version/s: | None |
| Fix Version/s: | 100.7.1 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Evgeni Dobranov | Assignee: | Unassigned |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 43 weeks, 5 days ago | ||||||||
| Description |
|
If multiple certificates are specified in a PEM file, the DB Tools now use the first certificate instead of the last one when comparing it against a provided private key. The DB Tools now also derive a username for X.509 authentication from all certificates rather than the last one. This aligns the DB Tools' behavior with that of OpenSSL. Engineering Description Since tool's SSL/TLS code is copied from Go driver, the current implementation only parses the last certificate inside the pem file. So if a pem file is structed such as
The tool will fail to start up due to failed private key, certificate pair match since it only loads the last cert (root cert).
This is a discrepancy with Mongoshell behavior, which only loads the first certificate inside the pem file. It is also the default behavior for many libraries including Go-language TLS lib. (I took a look at Mongo agent code and think it only loads the first certificate as well). So here are the questions we need to answer in this ticket:
Keep in mind, we are asked to keep the Tool's TLS logic in sync with Go driver, so whichever change we make in tools will be copied to Go driver as well. We need to justify our decision to the driver team as well.
|