[SERVER-34831] Unable to use a client certificate with emailAddress field on OS X Created: 03/May/18  Updated: 29/Oct/23  Resolved: 07/May/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.7.9
Fix Version/s: 4.0.0-rc0

Type: Bug Priority: Major - P3
Reporter: Timothy Olsen (Inactive) Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File ca.pem     File client.pem     File server.pem    
Issue Links:
Depends
Related
is related to SERVER-34631 Upgrade error from 3.7.3 to 3.7.5 Closed
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Generate CA and server PEM key files using 10gen x509gen.

The client PEM key file you will need to generate manually because 10gen x509gen does not support the emailAddress field.

$ openssl req -nodes -newkey rsa:2048 -keyout client.key -out client.csr -subj '/CN=userWithEmail/OU=MMSAutomationClient/O=MongoDB/L=NewYorkCity/ST=NewYork/C=US/emailAddress=user@mongodb.com'
$ openssl x509 -req -CA ca.pem -CAkey ca.pem -in client.csr -out client.cert -CAserial serial -CAcreateserial
$ cat client.cert client.key > client.pem

Note that I am using OpenSSL 1.0.2n

Then start mongod:

mongod --dbpath=db1 --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem

And try to run the mongo shell:

mongo --ssl --sslCAFile ca.pem --sslPEMKeyFile client.pem
Failed global initialization: InvalidSSLConfiguration Unknown OID: 0x7FCA5FD249A0

Sprint: Platforms 2018-05-07
Participants:

 Description   

I am unable to use a client certificate with an emailAddress field with MongoDB 3.7.9 Enterprise on OS X. If I try to use it using the mongo shell the shell returns:

Failed global initialization: InvalidSSLConfiguration Unknown OID: 0x7FCA5FD249A0

If I try to connect using the mgo driver the driver hangs (it keeps retrying to connect) and mongod logs:

2018-05-03T16:24:22.792-0400 I NETWORK  [conn24] Error receiving request from client: InvalidSSLConfiguration: Unknown OID: 0x7FFDF2913A40. Ending connection from 10.4.110.43:55478 (connection id: 24)

I've only noticed this on OS X. Other OS's appear to not have this problem.



 Comments   
Comment by Githook User [ 07/May/18 ]

Author:

{'email': 'mark.benvenuto@mongodb.com', 'name': 'Mark Benvenuto', 'username': 'markbenvenuto'}

Message: SERVER-34831 Add support for emailAddress in subject name
Branch: master
https://github.com/mongodb/mongo/commit/a2b64f90fe1dae2706ff6d02fbc991c6409994c0

Comment by Timothy Olsen (Inactive) [ 03/May/18 ]

Relevant example PEM key files attached

Generated at Thu Feb 08 04:38:00 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.