[SERVER-14709] Server should explicitly disallow usage of X509 authentication without specifying CA Created: 28/Jul/14  Updated: 11/Jul/16  Resolved: 20/Aug/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.6.3
Fix Version/s: 2.7.6

Type: Bug Priority: Major - P3
Reporter: Alexander Komyagin Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: cap-ticket-needed, pull-request
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DOCS-3834 Update docs to reflect that CA is man... Closed
Tested
Operating System: ALL
Participants:

 Description   

SSLManager::parseAndValidatePeerCertificate returns "" if no CAfile provided, so X509 subj is not extracted and you won't able to authenticate.

The "There is no x.509 client certificate matching the user." error will be thrown.

UPD: Apparently our position is that we don't want people to use X509 without specifying a CA, because we don't know if we can trust the certificate provided.



 Comments   
Comment by Githook User [ 04/Nov/14 ]

Author:

{u'username': u'lovett89', u'name': u'Luke Lovett', u'email': u'luke.lovett@mongodb.com'}

Message: SERVER-14709 Add ssl_without_ca.js to test the behavior of the server without a CA file.

Closes #857

Signed-off-by: Benety Goh <benety@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/159c1ed111216d2aa0ccc7fca4bba07f2058997b

Comment by Githook User [ 15/Aug/14 ]

Author:

{u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-14709 SERVER-14896 Add more SSL data to serverStatus. Enforce X.509 cluster having a CA

Closes #747

Signed-off-by: Benety Goh <benety@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/df064a77f5bbf80396ce71c70f68eecc062d1b42

Generated at Thu Feb 08 03:35:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.