[SERVER-39217] TLS intermediate CA certificate not working with macOS and 4.0.5 Created: 27/Jan/19 Updated: 29/Oct/23 Resolved: 01/Mar/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 4.0.5 |
| Fix Version/s: | 4.0.8, 4.1.9 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Brown | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||
| Issue Links: |
|
||||
| Backwards Compatibility: | Minor Change | ||||
| Operating System: | OS X | ||||
| Backport Requested: |
v4.0
|
||||
| Steps To Reproduce: | See attached file repro.tar.gz and read the README.markdown file for full repro details and results note the file has some private keys but they were generated just for this repro |
||||
| Sprint: | Security 2019-02-11, Security 2019-02-25, Security 2019-03-11 | ||||
| Participants: | |||||
| Description |
|
Combination of the following conditions causes a failure to connect with TLS from mongo shell:
|
| Comments |
| Comment by Githook User [ 22/Mar/19 ] | |
|
Author: {'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon', 'username': 'sgolemon'}Message: (cherry picked from commit 987e5fc980b2288371ebd2c133b58466cc646d60) | |
| Comment by Githook User [ 01/Mar/19 ] | |
|
Author: {'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}Message: | |
| Comment by Spencer Brown [ 08/Feb/19 ] | |
|
I see from the code review that there's a discussion about requiring intermediate CA certificates to be placed in the CAFile (or clusterCAFile I guess), and banning them from the PEMKeyFile, at least for non-OpenSSL environments. I would be fine with that. I would point out that a fix is still needed for macOS, because I still get a failure on 4.0.5 when the intermediate CA certificate is in the CAFile. But you probably knew that. Banning intermediate CA certs from the PEMKeyFile would not even be a regression on macOS (and I guess Windows), because it doesn't work at all since 4.0. We just need to be sure to document it. Making | |
| Comment by Sara Golemon [ 07/Feb/19 ] | |
|
Quick update: I've identified the cause and should be able to work out a fix. In the mean time, if you convert your server key bundle from a .pem file to PKCS#12, then the current release version should "just work". I'll update once I have a proper fix. | |
| Comment by Spencer Brown [ 01/Feb/19 ] | |
|
Tried moving the intermediate CA certificate into the server's CAFile along with the root CA certificate. So the server's configured CAFile has the intermediate and root CA certificates and the PEMKeyFile has the server key and certificate. On macOS:
and openssl s_client connect -showcerts shows that the server is only sending the server certificate. but the same setup works on Linux with 4.0.5, and on macOS with 3.6.10, and openssl s_client -showcerts shows that the server is sending all three certificates in those cases. |