[SERVER-10979] MONGODB-X509 authentication fails against Windows build Created: 30/Sep/13  Updated: 11/Jul/16  Resolved: 03/Oct/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.3

Type: Bug Priority: Major - P3
Reporter: Bernie Hackett Assignee: Bernie Hackett
Resolution: Done Votes: 0
Labels: 26qa, stringdata-use-after-free
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Participants:

 Description   

Tested on Windows 7 with OpenSSL 101e

Server:

PS C:\10gen\mongo> .\mongod.exe --sslOnNormalPorts --sslPEMKeyFile .\jstests\libs\server.pem --sslCRLFile .\jstests\libs\crl.pem --sslCAFile .\jstests\libs\ca.pem --sslWeakCertificateValidation --auth
2013-09-30T16:28:25.955-0700 ssl imported 1 revoked certificate from the revocation list.
2013-09-30T16:28:25.971-0700 ssl imported 1 revoked certificate from the revocation list.
2013-09-30T16:28:25.971-0700 [initandlisten] MongoDB starting : pid=1252 port=27017 dbpath=\data\db\ 64-bit host=win764
2013-09-30T16:28:25.971-0700 [initandlisten]
2013-09-30T16:28:25.986-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-09-30T16:28:25.986-0700 [initandlisten] **       Not recommended for production.
2013-09-30T16:28:25.986-0700 [initandlisten]
2013-09-30T16:28:25.986-0700 [initandlisten] db version v2.5.3-pre-
2013-09-30T16:28:26.002-0700 [initandlisten] targetMinOS: Windows 7/Windows Server 2008 R2
2013-09-30T16:28:26.002-0700 [initandlisten] git version: 10870bd2798db3c257d35a905985a066a8df82ec
2013-09-30T16:28:26.002-0700 [initandlisten] OpenSSL version: OpenSSL 1.0.1e 11 Feb 2013
2013-09-30T16:28:26.002-0700 [initandlisten] build info: windows sys.getwindowsversion(major=6, minor=1, build=7601, platform=2, service_pack='Service Pack 1') BOOST_LIB_VERSION=1_49
2013-09-30T16:28:26.018-0700 [initandlisten] allocator: system
2013-09-30T16:28:26.018-0700 [initandlisten] options: { auth: true, ssl: { CAFile: ".\jstests\libs\ca.pem", CRLFile: ".\jstests\libs\crl.pem", PEMKeyFile: ".\jstests\libs\server.pem", sslOnNormalPorts: true, weakCertificateValidation: true
} }

Client:

PS C:\10gen\mongo> .\mongo.exe --ssl --sslPEMKeyFile .\jstests\libs\client.pem
MongoDB shell version: 2.5.3-pre-
connecting to: test
Server has startup warnings:
2013-09-30T16:28:25.971-0700 [initandlisten]
2013-09-30T16:28:25.986-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-09-30T16:28:25.986-0700 [initandlisten] **       Not recommended for production.
2013-09-30T16:28:25.986-0700 [initandlisten]
>
>
> use $external
switched to db $external
>
> db.addUser({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [{name: 'userAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, {name: 'readWriteAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}, {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]})
{
        "user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
        "roles" : [
                {
                        "name" : "userAdminAnyDatabase",
                        "source" : "admin",
                        "hasRole" : true,
                        "canDelegate" : true
                },
                {
                        "name" : "readWriteAnyDatabase",
                        "source" : "admin",
                        "hasRole" : true,
                        "canDelegate" : true
                },
                {
                        "name" : "dbAdminAnyDatabase",
                        "source" : "admin",
                        "hasRole" : true,
                        "canDelegate" : true
                }
        ]
}
> db
$external
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: 'MONGODB-X509'})
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
0

Server log:

...
2013-09-30T16:29:59.752-0700 [conn1] insert admin.system.users ninserted:1 keyUpdates:0  259ms
2013-09-30T16:29:59.752-0700 [conn1] command $external.$cmd command: { createUser: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [ { name: "userAdminAnyDatabase", source: "admin", hasRole: true, canDelegate: true }, { name: "readWriteAnyDatabase", source: "admin", hasRole: true, canDelegate: true }, { name: "dbAdminAnyDatabase", source: "admin", hasRole: true, canDelegate: true } ], writeConcern: { w: "majority", wtimeout: 30000.0 } } ntoreturn:1 keyUpdates:0 locks(micros) W:263758 r:19 reslen:37 267ms
2013-09-30T16:30:10.471-0700 [conn1] assertion 13 not authorized for query on $external.system.namespaces ns:$external.system.namespaces query:{}
2013-09-30T16:30:26.033-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-09-30T16:30:26.049-0700 [conn1] Failed to authenticate CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US@$external with mechanism MONGODB-X509: AuthenticationFailed There is no x.509 client certificate matching the user.
...

A Windows client can authenticate to a Linux server, but not a Windows server. A Linux client also can not authenticate to a Windows server.



 Comments   
Comment by auto [ 03/Oct/13 ]

Author:

{u'username': u'behackett', u'name': u'behackett', u'email': u'bernie@10gen.com'}

Message: SERVER-10979 Fix MONGODB-X509 on Windows

StringData isn't the right type in this context. Use
std::string instead.
Branch: master
https://github.com/mongodb/mongo/commit/1ccb9e93cd3013798cbfe6f5b6322ec5f6137906

Comment by Bernie Hackett [ 03/Oct/13 ]

https://github.com/mongodb/mongo/pull/510

Comment by Andreas Nilsson [ 02/Oct/13 ]

milkie Ideally we'd need one from the last few days

Comment by Bernie Hackett [ 02/Oct/13 ]

Weirdness continues.

From the shell (after rebuilding with a new patch from andreas.nilsson@10gen.com):

PS C:\10gen\mongo> .\mongo.exe --ssl --sslPEMKeyFile .\jstests\libs\client.pem
2013-10-02T14:57:47.265-0700 [67 78 61 99 108 105 101 110 116 44 79 85 61 107 101 114 110 101 108 117 115 101 114 44 79
61 49 48 71 101 110 44 76 61 78 101 119 32 89 111 114 107 32 67 105 116 121 44 83 84 61 78 101 119 32 89 111 114 107 44
67 61 85 83 ]
2013-10-02T14:57:47.274-0700 result is: CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US len 64
MongoDB shell version: 2.5.3-pre-
connecting to: test
Server has startup warnings:
2013-10-02T14:57:19.118-0700 [initandlisten]
2013-10-02T14:57:19.118-0700 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-10-02T14:57:19.125-0700 [initandlisten] **       Not recommended for production.
2013-10-02T14:57:19.125-0700 [initandlisten]
>
>
> use $external
switched to db $external
> db.addUser({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [{name: 'userAdminAnyData
base', source: 'admin', hasRole: true, 'canDelegate': true}, {name: 'readWriteAnyDatabase', source: 'admin', hasRole: tr
ue, 'canDelegate': true}, {name: 'dbAdminAnyDatabase', source: 'admin', hasRole: true, 'canDelegate': true}]})
{
        "user" : "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US",
        "roles" : [
                {
                        "name" : "userAdminAnyDatabase",
                        "source" : "admin",
                        "hasRole" : true,
                        "canDelegate" : true
                },
                {
                        "name" : "readWriteAnyDatabase",
                        "source" : "admin",
                        "hasRole" : true,
                        "canDelegate" : true
                },
                {
                        "name" : "dbAdminAnyDatabase",
                        "source" : "admin",
                        "hasRole" : true,
                        "canDelegate" : true
                }
        ]
}
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: 'MONGODB-X509'})
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
0
>
> db.auth({user: "CN=client,OU=kerneluser,O=10gen,L=New York City,ST=New York,C=US", mechanism: "MONGODB-X509"})
Error: 18 Username "CN=client,OU=kerneluser,O=10gen,L=New York City,ST=New York,C=US" does not match the provided client
 certificate user "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US"
0
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: "MONGODB-X509"}
... )
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }
0
> db.auth({user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", mechanism: "MONGODB-X509"})
Error: 18 { ok: 0.0, errmsg: "auth failed", code: 18 }

Notice I mistyped the user once there. I had previously been copy/pasting the usrename into the shell and wanted to make sure something strange wasn't happening with powershell.

Log output:

2013-10-02T14:58:31.399-0700 [conn1] command $external.$cmd command: { createUser: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [ { name: "userAdminAnyDatabase", source: "admin", hasRole: true, canDelegate: true }, { name: "readWriteAnyDatabase", source: "admin", hasRole: true, canDelegate: true }, { name: "dbAdminAnyDatabase", source: "admin", hasRole: true, canDelegate: true } ], writeConcern: { w: "majority", wtimeout: 30000.0 } } ntoreturn:1 keyUpdates:0 locks(micros) W:293359 r:21 reslen:37 297ms
2013-10-02T14:58:49.391-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-10-02T14:58:49.399-0700 [conn1] user.getUser CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US subjectName ñ =client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US
2013-10-02T14:58:49.407-0700 [conn1] Failed to authenticate CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US@$external with mechanism MONGODB-X509: AuthenticationFailed There is no x.509 client certificate matching the user.
 
2013-10-02T14:59:19.371-0700 [clientcursormon] mem (MB) res:46 virt:474
2013-10-02T14:59:19.378-0700 [clientcursormon]  mapped (incl journal view):320
2013-10-02T14:59:19.378-0700 [clientcursormon]  connections:1
2013-10-02T15:01:32.124-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-10-02T15:01:32.132-0700 [conn1] user.getUser CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US subjectName ÿ =client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US
2013-10-02T15:01:32.140-0700 [conn1] Failed to authenticate CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US@$external with mechanism MONGODB-X509: AuthenticationFailed There is no x.509 client certificate matching the user.
 
2013-10-02T15:02:51.245-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-10-02T15:02:51.252-0700 [conn1] user.getUser CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US subjectName ñ =client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US
2013-10-02T15:02:51.260-0700 [conn1] Failed to authenticate CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US@$external with mechanism MONGODB-X509: AuthenticationFailed There is no x.509 client certificate matching the user.

Comment by Bernie Hackett [ 02/Oct/13 ]

sridhar or milkie would know where the Enterprise builds live. I haven't used them yet.

Comment by Andreas Nilsson [ 02/Oct/13 ]

I need to use a recent version of the Enterprise build then, do you know where I can find it?

Comment by Bernie Hackett [ 02/Oct/13 ]

Well, I'm running on Windows 7. I also built mongo essentially using the Enterprise Edition build instructions. Maybe there is some incompatibility there?

Can you try with the Enterprise Edition builds?

Comment by Andreas Nilsson [ 02/Oct/13 ]

behackett I actually can't reproduce this. It works fine for me. Environment info:

OS: Windows Server 2012 Standard
OpenSSL runtime: http://slproweb.com/download/Win64OpenSSL-1_0_1e.exe
Visual C++ 208 Redistributable Package x64 - http://www.microsoft.com/en-us/download/details.aspx?id=15336

We need to compare our environments to see what is different.

Comment by Bernie Hackett [ 01/Oct/13 ]

Done. This is...weird...

2013-10-01T11:34:59.990-0700 [conn1]  authenticate db: $external { authenticate: 1, mechanism: "MONGODB-X509", user: "CN =client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US" }
2013-10-01T11:34:59.990-0700 [conn1] user.getUser CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US subjectName ╢ =client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US
2013-10-01T11:35:00.006-0700 [conn1] Failed to authenticate CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York, C=US@$external with mechanism MONGODB-X509: AuthenticationFailed There is no x.509 client certificate matching the user.

Comment by Andreas Nilsson [ 01/Oct/13 ]

I still haven't gotten to open my Windows VM yet, behackett would you mind adding the following debug line to line 264 in db/commands/authentication_commands.cpp to check why the comparison fails.

if (user.getUser() != subjectName) {
        log() << "user.getUser " << user.getUser() << " subjectName " << subjectName;
        return Status(ErrorCodes::AuthenticationFailed,
                              "There is no x.509 client certificate matching the user.");
 }

Comment by Bernie Hackett [ 01/Oct/13 ]

Also, the Windows and Linux builds appear to log different things by default (or possibly have different verbose levels). The build I'm using in both operating systems is the same git hash.

Comment by Bernie Hackett [ 01/Oct/13 ]

andreas.nilsson@10gen.com,

That message appears to be the shell automatically trying to query a collection it no longer has permissions to access once the first user is added.

The thing I find strange is this:

 ... writeConcern: { w: "majority", wtimeout: 30000.0 } ...

And

2013-10-01T10:25:09.310-0700 [conn1] run command admin.$cmd { replSetGetStatus: 1.0, forShell: 1.0 }
2013-10-01T10:25:09.310-0700 [conn1] Unauthorized not authorized on admin to execute command { replSetGetStatus: 1.0, forShell: 1.0 }

Right now I'm just testing against a stand alone mongod. It's weird that the shell is using w: "majority" and trying to automatically call replSetGetStatus in the background. spencer, why is that?

Comment by Andreas Nilsson [ 01/Oct/13 ]

Sorry, pasted the wrong log line:

 [conn1] assertion 13 not authorized for query on $external.system.namespaces ns:$external.system.namespaces query:{}

Comment by Spencer Brody (Inactive) [ 01/Oct/13 ]

That's not an error message, that's just the command being logged - probably because it took >100ms to run. All commands (and CRUD operations) that take longer than the slow query threshold (defaults to 100ms) get logged.

Comment by Andreas Nilsson [ 01/Oct/13 ]

The problem is that the server cannot match the subject name from the certificate with the subject name provided by the client. On a first glance it looks like an encoding mismatch. I will spin up a Windows VM during the day and check it out.

The authorization failure log entry concerns me a little bit

[conn1] command $external.$cmd command: { createUser: "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US", roles: [ { name: "userAdminAnyDatabase", source: "admin", hasRole: true, canDelegate: true }, { name: "readWriteAnyDatabase", source: "admin", hasRole: true, canDelegate: true }, { name: "dbAdminAnyDatabase", source: "admin", hasRole: true, canDelegate: true } ], writeConcern: { w: "majority", wtimeout: 30000.0 } } ntoreturn:1 keyUpdates:0 locks(micros) W:263758 r:19 reslen:37 267ms

From the timing it looks like it belongs to the auth() call. spencer do you have any idea why this might happen? Also behackett did you see this particular error during successful auth on Linux (I didn't).

Generated at Thu Feb 08 03:24:33 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.