[SERVER-32551] Cluster with x.509 membership authentication serves client connection with cluster client certificate Created: 05/Jan/18  Updated: 30/Oct/23  Resolved: 12/Jan/18

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: 3.6.0, 3.6.1
Fix Version/s: 3.6.3, 3.7.1

Type: Bug Priority: Major - P3
Reporter: Simone Maratea Assignee: Spencer Jackson
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v3.6
Steps To Reproduce:
  • deploy a replica set with x.509 membership authentication and distinct pem files for clusterFile and PEMKeyFile (with "TLS Web Server Authentication" X509v3 Extended Key Usage) mongod options
  • connect with mongo using --ssl option
Sprint: Platforms 2018-01-15
Participants:
Case:

 Description   

In a 3.6.0 and 3.6.1 replica set cluster with x.509 membership authentication with distinct pem files for clusterFile (with "TLS Web Client Authentication" X509v3 Extended Key Usage) and PEMKeyFile (with "TLS Web Server Authentication" X509v3 Extended Key Usage) mongod options the client ssl connection requests are served by client certificate (with obvious [CONNECT_ERROR] for SSL peer certificate validation failed: unsupported certificate purpose).

It affects 3.4 --> 3.6 upgrade cluster and also a fresh 3.6 installation.



 Comments   
Comment by Githook User [ 18/Jan/18 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-32551: Ensure Transport Layer doesn't use clusterFile as server cert

(cherry picked from commit d34d2ba2b34cc18f8c853ecaa5a9cc59f587282b)
Branch: v3.6
https://github.com/mongodb/mongo/commit/718496371093090402627aa6a70a92ff76831bb2

Comment by Githook User [ 12/Jan/18 ]

Author:

{'email': 'spencer.jackson@mongodb.com', 'name': 'Spencer Jackson', 'username': 'spencerjackson'}

Message: SERVER-32551: Ensure Transport Layer doesn't use clusterFile as server cert
Branch: master
https://github.com/mongodb/mongo/commit/d34d2ba2b34cc18f8c853ecaa5a9cc59f587282b

Generated at Thu Feb 08 04:30:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.