[SERVER-59402] Avoid silent failure if Replica Set member's X.509 certificate does not contain `O` / `OU` or `DC` attributes Created: 17/Aug/21 Updated: 06/Dec/22 |
|
| Status: | Blocked |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Alexey Matyushin | Assignee: | Backlog - Security Team |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Assigned Teams: |
Server Security
|
||||||||
| Operating System: | ALL | ||||||||
| Sprint: | Security 2022-05-02 | ||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Description |
|
Issue, All Replica Set members report `"stateStr" : "(not reachable/healthy)"` and `"lastHeartbeatMessage" : "x.509 authentication is disabled."` messages in `rs.status()`. For Ops Manager Automation this will mean that it can't continue managing such MongoDB Server deployment (as it can't connect to that MongoDB Server deployment, same as all Replica Set members can't connect to each other). Troubleshooting / Findings, However, if member's X.509 certificate is not correct (doesn't have `O` / `OU` or `DC` attributes in it) then such MongoDB Server process will fail silently and will NOT produce any log saying that Replica Set member's X.509 certificate is not correct. MongoDB Server process will also produce misleading `x.509 authentication is disabled` error once Replica Set member will try to connect to it (X.509 authentication is actually enabled, it is just member's X.509 certificate is incorrect). What we need from this SERVER ticket,
Thanks in advance, |