[SERVER-39107] Certificate validation fails with Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING Created: 19/Jan/19  Updated: 29/Oct/23  Resolved: 30/Jan/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 4.1.7
Fix Version/s: 4.1.8

Type: Bug Priority: Major - P3
Reporter: Shane Harvey Assignee: Jonathan Reams
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File ca.pem     File client.pem     File server.pem    
Issue Links:
Problem/Incident
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Security 2019-02-11
Participants:

 Description   

MongoDB version:

mongodb-macos-x86_64-enterprise-4.1.7-40-gbfb0aec/bin/mongod --version
db version v4.1.7-40-gbfb0aec
git version: bfb0aec447f39633694dcc4418f2a5a5a167937e
allocator: system
modules: enterprise
build environment:
    distarch: x86_64
    target_arch: x86_64

Start mongod with the attached certificates ( server.pem, ca.pem):

$ mongodb-macos-x86_64-enterprise-4.1.7-40-gbfb0aec/bin/mongod -v --sslOnNormalPorts --sslWeakCertificateValidation --sslCAFile=ca.pem --sslPEMKeyFile=server.pem --dbpath tmp-data

Attempt to connect with the mongo shell (or any driver) with client.pem:

$ mongo --ssl --sslAllowInvalidCertificates --sslPEMKeyFile=client.pem
MongoDB shell version v4.0.1
connecting to: mongodb://127.0.0.1:27017
2019-01-18T16:25:57.426-0800 W NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED
2019-01-18T16:25:57.426-0800 E QUERY    [js] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017'  :
connect@src/mongo/shell/mongo.js:257:13
@(connect):1:6
exception: connect failed

The server logs the following error:

2019-01-18T16:25:57.387-0800 I NETWORK  [listener] connection accepted from 127.0.0.1:55477 #2 (1 connection now open)
2019-01-18T16:25:57.420-0800 D -        [conn2] User Assertion: UnsupportedFormat: Invalid IP address in CIDR string src/mongo/util/net/cidr.cpp 117
2019-01-18T16:25:57.423-0800 D -        [conn2] User Assertion: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING src/mongo/util/icu.cpp 85
2019-01-18T16:25:57.423-0800 D -        [conn2] User Assertion: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING src/mongo/transport/session_asio.h 633
2019-01-18T16:25:57.423-0800 I NETWORK  [conn2] Error receiving request from client: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING. Ending connection from 127.0.0.1:55477 (connection id: 2)
2019-01-18T16:25:57.423-0800 I NETWORK  [conn2] end connection 127.0.0.1:55477 (0 connections now open)

These certificates work without a problem on MongoDB 2.6-4.0 so I think there has been a regression somewhere. Also worth noting is that this failure happens on all platforms, not just macOS. This issue is currently blocking drivers from testing against the latest version of the server.



 Comments   
Comment by Githook User [ 30/Jan/19 ]

Author:

{'username': 'jbreams', 'email': 'jbreams@mongodb.com', 'name': 'Jonathan Reams'}

Message: SERVER-39107 Allow empty components in certificate DNs
Branch: master
https://github.com/mongodb/mongo/commit/ac3f2f46c776d844e44d2cd31629ebc1eacf1638

Comment by Jonathan Reams [ 29/Jan/19 ]

shane.harvey, the client.pem certificate has an invalid subject name:

  184:d=2  hl=2 l= 100 cons: SEQUENCE
  186:d=3  hl=2 l=  15 cons: SET
  188:d=4  hl=2 l=  13 cons: SEQUENCE
  190:d=5  hl=2 l=   3 prim: OBJECT            :commonName
  195:d=5  hl=2 l=   6 prim: PRINTABLESTRING   :client
  203:d=3  hl=2 l=  16 cons: SET
  205:d=4  hl=2 l=  14 cons: SEQUENCE
  207:d=5  hl=2 l=   3 prim: OBJECT            :organizationalUnitName
  212:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Drivers
  221:d=3  hl=2 l=   9 cons: SET
  223:d=4  hl=2 l=   7 cons: SEQUENCE
  225:d=5  hl=2 l=   3 prim: OBJECT            :organizationName
  230:d=5  hl=2 l=   0 prim: PRINTABLESTRING   :
  232:d=3  hl=2 l=  18 cons: SET
  234:d=4  hl=2 l=  16 cons: SEQUENCE
  236:d=5  hl=2 l=   3 prim: OBJECT            :localityName
  241:d=5  hl=2 l=   9 prim: PRINTABLESTRING   :Palo Alto
  252:d=3  hl=2 l=  19 cons: SET
  254:d=4  hl=2 l=  17 cons: SEQUENCE
  256:d=5  hl=2 l=   3 prim: OBJECT            :stateOrProvinceName
  261:d=5  hl=2 l=  10 prim: PRINTABLESTRING   :California
  273:d=3  hl=2 l=  11 cons: SET
  275:d=4  hl=2 l=   9 cons: SEQUENCE
  277:d=5  hl=2 l=   3 prim: OBJECT            :countryName
  282:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US

The O component is empty, and RFC 5280 specifies that components must be at least one code point long. However, since we supported this before 4.2, I will add an exception in our certificate normalization/validation code.

Generated at Thu Feb 08 04:51:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.