[SERVER-57716] Partial certificate chain in PEM causes validation failure in OCSP Created: 15/Jun/21  Updated: 29/Oct/23  Resolved: 06/Aug/21

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 5.1 Required
Fix Version/s: 5.0.3, 4.4.9, 5.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Sergey Galtsev (Inactive) Assignee: Sergey Galtsev (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
is related to SERVER-35418 Allow specifying CAs for incoming and... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Requested:
v5.0, v4.4
Sprint: Security 2021-07-12, Security 2021-07-26, Security 2021-08-09
Participants:
Case:

 Description   

tls section may contain CAFile and certificateKeyFile parameters. When CAFile and certificateKeyFile both contain partial certificate chains, the X509_verify_cert call in OCSPFetcher::fetchAndStaple fails with error 20: "unable to get local issuer certificate"



 Comments   
Comment by Githook User [ 16/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57716: use common CA file for OCSP where clusterCA is present
Branch: v4.4
https://github.com/mongodb/mongo/commit/085d811dbee92b9b7f71205d3aa1b2ad0bd334c4

Comment by Githook User [ 16/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57716: use common CA file for OCSP where clusterCA is present
Branch: v5.0
https://github.com/mongodb/mongo/commit/b559cb1d481b020909461c268d88ab03ee73add6

Comment by Sergey Galtsev (Inactive) [ 06/Aug/21 ]

when clusterCAFile is speficied, it no longer takes over CAFile for the purposes of OCSP

Comment by Githook User [ 06/Aug/21 ]

Author:

{'name': 'sergey.galtsev', 'email': 'sergey.galtsev@mongodb.com', 'username': 'brushless-glitch'}

Message: SERVER-57716: use common CA file for OCSP where clusterCA is present
Branch: master
https://github.com/mongodb/mongo/commit/9410ef02091cd02c09871080c18eded7e884364b

Comment by Sergey Galtsev (Inactive) [ 28/Jul/21 ]

https://mongodbcr.appspot.com/810540001/

Comment by Sergey Galtsev (Inactive) [ 19/Jul/21 ]

https://mongodbcr.appspot.com/810540001/

Comment by Sergey Galtsev (Inactive) [ 13/Jul/21 ]

Notes from zoom meeting with spencer.jackson:

  • focus on fixing only OCSP at this time using minimally invasive change
  • we will need to plan for a long-term redesign of SSL code with regards to clustering, authorization, and separation of X509 usage in context of serverless
Generated at Thu Feb 08 05:42:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.