[GODRIVER-2263] Not loading all certs in a PEM file Created: 05/Jan/22 Updated: 28/Oct/23 Resolved: 24/Jan/22 |
|
| Status: | Closed |
| Project: | Go Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | 1.8.3 |
| Type: | Bug | Priority: | Unknown |
| Reporter: | Derrick Wippler | Assignee: | Kevin Albertson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Cloud Backport: | Needed | ||||||||||||||||
| Description |
SummaryWhen using tlsCertificateKeyFile or sslClientCertificateKeyFile options, ClientOptions.ApplyURI() only loads the final cert in the provided PEM file. This is undesired when a PEM contains multiple certs to be considered during a TLS hand shake. How to ReproduceCreate a PEM file with multiple certs and use either tlsCertificateKeyFile or sslClientCertificateKeyFile options to load the PEM file. Only the final cert will be loaded into the tls config cert list. Additional BackgroundCode change that resolves this bug can be found here https://github.com/mailgun/mongo-go-driver/pull/1/commits/71f1654d022eaa0234345143edd0ee157ecb2077 If this bug is approved will submit a PR against the main repo. |
| Comments |
| Comment by Githook User [ 24/Jan/22 ] |
|
Author: {'name': 'Derrick J. Wippler', 'email': 'thrawn01@gmail.com', 'username': 'thrawn01'}Message: |
| Comment by Githook User [ 24/Jan/22 ] |
|
Author: {'name': 'Derrick J. Wippler', 'email': 'thrawn01@gmail.com', 'username': 'thrawn01'}Message: |
| Comment by Derrick Wippler [ 10/Jan/22 ] |
|
PR Created here https://github.com/mongodb/mongo-go-driver/pull/834 |
| Comment by Kevin Albertson [ 07/Jan/22 ] |
|
Thank you for the report thrawn01@gmail.com! I was able to reproduce the "private key does not match public key" with testing certificates and private keys here. Applying the linked commit resolved the error. To compare with another driver, the C driver uses SSL_CTX_use_certificate_chain_file:
If you are able to submit a PR, it would be much appreciated! |
| Comment by Shawn Poulson [ 05/Jan/22 ] |
|
In the scenario where a client certificate is necessary to connect to Mongo, the pem may contain: a private key, a client cert, and one or more intermediate CA certs. Golang's TLS expects pems to contain the leaf (client) certificate first, then the intermediate certificates. This logic conflicts with Mongo's ClientOptions.ApplyURI() parsing only the last certificate in the pem. Then, mongo.NewClient() fails validating options with "private key does not match public key" because it paired the pem private key with an intermediate CA cert instead of the client cert. This fix is necessary to resolve this conflict. |