[SERVER-36619] Test that ECDSA certificates can be loaded by OpenSSL on Linux Created: 13/Aug/18 Updated: 29/Oct/23 Resolved: 05/Nov/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.1.5 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Gregory McKeon (Inactive) | Assignee: | Patrick Freed |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Sprint: | Security 2018-11-05 |
| Participants: |
| Description |
|
ECDHE based cipher suites tend to be slower than non-Forward Secrecy preserving variants. The mitigation for this is to deploy certificates containing ECDSA keys(preferably themselves signed by a CA with ECDSA). Because ECDSA is significantly faster than RSA, this results in comparable performance. We should generate an ECDSA certificate with OpenSSL, check it in into jstests/libs(with instructions describing how to regenerate it), and write a JSTest which validates that we can use it as an tlsPEMKeyFile. If any platforms fail to load the certificate, we should bake that information into the test. |
| Comments |
| Comment by Githook User [ 05/Nov/18 ] |
|
Author: {'name': 'Patrick Freed', 'email': 'patrick.freed@mongodb.com', 'username': 'patrickfreed'}Message: |
| Comment by Githook User [ 02/Nov/18 ] |
|
Author: {'name': 'Patrick Freed', 'email': 'patrick.freed@mongodb.com', 'username': 'patrickfreed'}Message: |