[SERVER-43085] Regenerate all testing certificates with SHA-256 instead of SHA-1 Created: 29/Aug/19  Updated: 29/Oct/23  Resolved: 23/Oct/19

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 3.6.16, 4.3.1, 3.4.24, 4.2.2, 4.0.14

Type: Improvement Priority: Major - P3
Reporter: Adam Cooper (Inactive) Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Debian GNU/Linux bullseye, openssl v1.1.1c


Issue Links:
Backports
Depends
Problem/Incident
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.2, v4.0, v3.6, v3.4
Sprint: Security 2019-10-07, Security 2019-10-21, Security 2019-11-04
Participants:
Linked BF Score: 40

 Description   

On certain newer implementations of openssl, such as the one currently on Debian's testing branch, SHA-1 as the digest algorithm in certificates is rejected by the default OpenSSL config because it is deprecated. There is a workaround to fix it, but it seems to be a not-very-safe thing to do for anything else on the system using OpenSSL, and it would probably just be better to update the certificates we use for testing to SHA-256 instead.

This causes test failures. I discovered when testing kmip.js on my system, which failed with

cannot read certificate file: src/mongo/db/modules/enterprise/jstests/encryptdb/libs/client_password_protected.pem error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak

See https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1 for context



 Comments   
Comment by Githook User [ 13/Nov/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d)
(cherry picked from commit 0fb7557a6bff0930f025b3036bcbb0c1ef0191db)
Branch: v3.4
https://github.com/mongodb/mongo/commit/2b5f3b0e339a1884e9cc07fe899577bb9eb6280d

Comment by Githook User [ 13/Nov/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436)
Branch: v3.4
https://github.com/10gen/mongo-enterprise-modules/commit/827e7c9de6eb3a56038eb57cf50579425f7179cd

Comment by Githook User [ 13/Nov/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d)
(cherry picked from commit 0fb7557a6bff0930f025b3036bcbb0c1ef0191db)
Branch: v3.6
https://github.com/mongodb/mongo/commit/7706cef78c934916b2625e109571875dec8af7ac

Comment by Githook User [ 13/Nov/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436)
Branch: v3.6
https://github.com/10gen/mongo-enterprise-modules/commit/3f05c1e50365be5c6150ea45a237c8699fb2d193

Comment by Githook User [ 13/Nov/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d)
(cherry picked from commit 0fb7557a6bff0930f025b3036bcbb0c1ef0191db)
Branch: v4.0
https://github.com/mongodb/mongo/commit/eae761f417f689aaefd276ba195527ff1df64e3e

Comment by Githook User [ 13/Nov/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436)
Branch: v4.0
https://github.com/10gen/mongo-enterprise-modules/commit/b43c6550f751a5f5a7228d52c0ffa116ac3fb4c2

Comment by Githook User [ 11/Nov/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit d268b9a7f0273c99b5a67cdc36237b5789046436)
Branch: v4.2
https://github.com/10gen/mongo-enterprise-modules/commit/97c578b51dd38a86c423ca4c4a2d10f8a948d82a

Comment by Githook User [ 11/Nov/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Regenerate X509 test certificates

(cherry picked from commit 5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d)
(cherry picked from commit 0fb7557a6bff0930f025b3036bcbb0c1ef0191db)
Branch: v4.2
https://github.com/mongodb/mongo/commit/dc6ef5a552519da68c7c880a3a33ad315b32c466

Comment by Githook User [ 23/Oct/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Regenerate trusted-

{ca,client,server}

.pem certificates
Branch: master
https://github.com/mongodb/mongo/commit/0fb7557a6bff0930f025b3036bcbb0c1ef0191db

Comment by Githook User [ 20/Oct/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Revert trusted-

{client,server}

.pfx
Branch: master
https://github.com/mongodb/mongo/commit/3b5b753c22f10890b43bead4392888de3c691611

Comment by Githook User [ 18/Oct/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Regenerate X509 test certificates

Update all certs except trusted-*.pem chain.
trusted-*.pem will be updated when BUILD hosts are ready.
Branch: master
https://github.com/mongodb/mongo/commit/5d6cfabf7cc4ba4d23c30b7d02ea79a1d664137d

Comment by Githook User [ 18/Oct/19 ]

Author:

{'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon'}

Message: SERVER-43085 Regenerate X509 test certificates
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/d268b9a7f0273c99b5a67cdc36237b5789046436

Generated at Thu Feb 08 05:02:13 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.