[SERVER-14709] Server should explicitly disallow usage of X509 authentication without specifying CA Created: 28/Jul/14 Updated: 11/Jul/16 Resolved: 20/Aug/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.6.3 |
| Fix Version/s: | 2.7.6 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Alexander Komyagin | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | cap-ticket-needed, pull-request | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Operating System: | ALL | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
SSLManager::parseAndValidatePeerCertificate returns "" if no CAfile provided, so X509 subj is not extracted and you won't able to authenticate. The "There is no x.509 client certificate matching the user." error will be thrown. UPD: Apparently our position is that we don't want people to use X509 without specifying a CA, because we don't know if we can trust the certificate provided. |
| Comments |
| Comment by Githook User [ 04/Nov/14 ] |
|
Author: {u'username': u'lovett89', u'name': u'Luke Lovett', u'email': u'luke.lovett@mongodb.com'}Message: Closes #857 Signed-off-by: Benety Goh <benety@mongodb.com> |
| Comment by Githook User [ 15/Aug/14 ] |
|
Author: {u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: Closes #747 Signed-off-by: Benety Goh <benety@mongodb.com> |