[SERVER-34413] MONGODB-X509 fails on Windows with Native TLS Created: 11/Apr/18  Updated: 29/Oct/23  Resolved: 17/Apr/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.7.3
Fix Version/s: 4.0.0-rc0

Type: Bug Priority: Major - P3
Reporter: Bernie Hackett Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Platforms 2018-04-23
Participants:

 Description   

Now that SERVER-34344 is resolved Windows testing has uncovered another issue in master. The username for MONGODB-X509 doesn't seem to be parsed properly.

 [2018/04/10 18:16:14.425] ======================================================================
 [2018/04/10 18:16:14.425] ERROR [0.194s]: test_mongodb_x509_auth (test_ssl.TestSSL)
 [2018/04/10 18:16:14.672] ----------------------------------------------------------------------
 [2018/04/10 18:16:14.672] Traceback (most recent call last):
 ...
 [2018/04/10 18:16:14.672]   File "C:\data\mci\3881e811fc56f3917fc8d08ba600f76c\src\pymongo\helpers.py", line 145, in _check_command_response
 [2018/04/10 18:16:14.672]     raise OperationFailure(msg % errmsg, code, response)
 [2018/04/10 18:16:14.672] pymongo.errors.OperationFailure: Could not find user C=US,ST=California,L=Palo Alto,O="",OU=Drivers,CN=client@$external
 [2018/04/10 18:16:14.672] ----------------------------------------------------------------------

2018-04-10T22:16:02.206+0000 I ACCESS   [conn878] Failed to authenticate C=US,ST=California,L=Palo Alto,O="",OU=Drivers,CN=client@$external from client 127.0.0.1:52070 with mechanism MONGODB-X509: UserNotFound: Could not find user C=US,ST=California,L=Palo Alto,O="",OU=Drivers,CN=client@$external

2018-04-10T22:11:27.681+0000 I CONTROL  [initandlisten] targetMinOS: Windows 7/Windows Server 2008 R2
2018-04-10T22:11:27.681+0000 I CONTROL  [initandlisten] db version v3.7.3-444-gf98493d311
2018-04-10T22:11:27.681+0000 I CONTROL  [initandlisten] git version: f98493d3112905d2ad988b453b74d9555f5fdac8
2018-04-10T22:11:27.681+0000 I CONTROL  [initandlisten] allocator: tcmalloc
2018-04-10T22:11:27.681+0000 I CONTROL  [initandlisten] modules: enterprise 
2018-04-10T22:11:27.681+0000 I CONTROL  [initandlisten] build environment:
2018-04-10T22:11:27.682+0000 I CONTROL  [initandlisten]     distmod: windows-64
2018-04-10T22:11:27.682+0000 I CONTROL  [initandlisten]     distarch: x86_64
2018-04-10T22:11:27.682+0000 I CONTROL  [initandlisten]     target_arch: x86_64
2018-04-10T22:11:27.682+0000 I CONTROL  [initandlisten] options: { config: "c:\data\mci\3881e811fc56f3917fc8d08ba600f76c\drivers-tools\.evergreen\orchestration\db\mongo-rap3na", net: { bindIp: "127.0.0.1,::1", compression: { compressors: "zlib,snappy,noop" }, ipv6: true, port: 27018, ssl: { CAFile: "C:/data/mci/3881e811fc56f3917fc8d08ba600f76c/drivers-tools/.evergreen/x509gen/ca.pem", PEMKeyFile: "C:/data/mci/3881e811fc56f3917fc8d08ba600f76c/drivers-tools/.evergreen/x509gen/server.pem", mode: "requireSSL", weakCertificateValidation: true } }, replication: { enableMajorityReadConcern: true, oplogSizeMB: 500, replSet: "repl0" }, security: { keyFile: "c:\data\mci\3881e811fc56f3917fc8d08ba600f76c\drivers-tools\.evergreen\orchestration\db\tmpdvp_p2\key" }, setParameter: { enableTestCommands: "1" }, storage: { dbPath: "c:\data\mci\3881e811fc56f3917fc8d08ba600f76c\drivers-tools\.evergreen\orchestration\db\mongo-y_uwa6", journal: { enabled: true }, mmapv1: { nsSize: 1, preallocDataFiles: false, smallFiles: true } }, systemLog: { destination: "file", path: "c:\data\mci\3881e811fc56f3917fc8d08ba600f76c\drivers-tools\.evergreen\orchestration\db\mongo-y_uwa6\mongod.log" } }



 Comments   
Comment by Githook User [ 17/Apr/18 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-34413 Converting Certificate Subject Names to strings need to obey RFC 2253
Branch: master
https://github.com/mongodb/mongo/commit/aa0995f8cd3a2f42346439296d1e103be5926a4b

Comment by Mark Benvenuto [ 11/Apr/18 ]

The Apple and Windows implementations both need to convert Certificate subject names to strings per RFC 2253. Windows was using RFC 1779 which has too many subtle differences then can be patched over. Also, the escaping rules are different and need to be standardized across the implementations.

Comment by Mark Benvenuto [ 11/Apr/18 ]

A clearer repro would have helped identify it is a discrepancy where it would quote empty values as "" instead just a blank value.

Example:

> db.getSiblingDB("$external").auth({
...         mechanism: "MONGODB-X509",
...         user:
...             'C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client'
...     });
Error: Username "C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client" does not match the provided client certificate user "C=US,ST=California,L=Palo Alto,O="",OU=Drivers,CN=client"

Comment by Bernie Hackett [ 11/Apr/18 ]

The test certs can be found here: https://github.com/mongodb/mongo-python-driver/tree/master/test/certificates

Generated at Thu Feb 08 04:36:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.