[SERVER-52923] Warn users about certificate chains built from CA PEM file on Apple Created: 18/Nov/20  Updated: 11/Mar/21  Resolved: 10/Feb/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Shreyas Kalyan
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-54461 Complete TODO listed in SERVER-52923 Closed
is related to SERVER-47963 Investigate intermediate CA certifica... Closed
Sprint: Security 2020-12-14, Security 2021-01-11, Security 2021-02-22
Participants:

 Description   

After testing
SERVER-47963, it was discovered that the SSL support for Apple has the same issue. The server cannot build a proper certificate chain to send to the remote side if the necessary intermediate certs are in the CA file instead of the CertPEM file.



 Comments   
Comment by Githook User [ 11/Mar/21 ]

Author:

{'name': 'Shreyas Kalyan', 'email': 'shreyas.kalyan@10gen.com', 'username': 'shreyaskalyan'}

Message: SERVER-54461 Complete TODO listed in SERVER-52923
Branch: master
https://github.com/mongodb/mongo/commit/b897dc8ee2ea3cc04ed36e847f2dd92dd449261d

Comment by Shreyas Kalyan [ 08/Jan/21 ]

After discussion with sara.golemon and mark.benvenuto, we have decided that the best course of action here is to disallow the configuration described in SERVER-47963 on MacOS and instead leave the user with an error message about their certificate configuration. On OpenSSL we will also leave a warning when a user has an invalid configuration (any non-self signed certificates in the --tlsCAFile file).

Generated at Thu Feb 08 05:29:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.