[SERVER-48533] Centos 7 mongodb-org-server-3.6 rpm ssl connection failure with PKCS disabled on client Created: 02/Jun/20 Updated: 01/Jul/20 Resolved: 01/Jul/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Packaging |
| Affects Version/s: | 3.6.18 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Ryan Krumins | Assignee: | Shreyas Kalyan |
| Resolution: | Duplicate | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: |
|
||||||||
| Sprint: | Security 2020-06-29, Security 2020-07-13 | ||||||||
| Participants: | |||||||||
| Description |
|
C# client libraries running on Windows 2012 R2 with select SChannel algorithms disabled as below seen from IISCrypto:
Connecting with TLS 1.2 with client certificate presented to CentoOS 7 mongod, rpm version: Connection fails with the below log lines when full verbosity enabled: 020-05-22T03:12:54.931+0000 I NETWORK [listener] connection accepted from 10.4.3.137:62577 #85 (5 connections now open) Shared ciphers reported under these conditions are: ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA Having the C# driver connect to 'openssl s_server' with these ciphers gives a successful connection. Connecting to mongod using 'openssl s_client' with these ciphers set results in the same disconnection the C# driver sees. Replacing mongod with a locally compiled binary of 3.6 produces a mongod that does accept connections under these conditions. |
| Comments |
| Comment by Shreyas Kalyan [ 01/Jul/20 ] |
|
MongoDB version 3.6 compiled on Centos 7 does not support Elliptic Curve negotiation. On Centos 7, MongoDB releases only one version of the MongoDB server. However, Centos 7 has a different version of OpenSSL on each minor version. There was a jump from OpenSSL 1.0.1 to OpenSSL 1.0.2 during the minor version releases of Centos 7. OpenSSL 1.0.1 did not fully support Elliptic Curves, whereas OpenSSL 1.0.2 supported it in a larger capacity. On Centos 7, the server is compiled against OpenSSL 1.0.1. To have support for Elliptic on versions 4.2 in Centos 7 with OpenSSL 1.0.1, the server needed to check some flags internally in OpenSSL. This check was not backported to 3.6. Because of this, the version run in the example above is unable to connect to the elliptic curve algorithms. However, when locally compiled on Centos 7, the driver was likely able to connect because the server was compiled against OpenSSL version 1.0.2, which supports elliptic curves without the flag. If the use of elliptic curves is desired, then it is recommended that the server is upgraded to either 4.2 or that the server is locally compiled on the machine. |
| Comment by Carl Champain (Inactive) [ 08/Jun/20 ] |
|
Thank you for the report. Kind regards, |