[SERVER-65717] Lots of warnings when using X509 replset member authentication Created: 18/Apr/22 Updated: 27/Oct/23 Resolved: 24/Jun/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Logging, Replication, Security |
| Affects Version/s: | 5.0.7 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Heikki P | Assignee: | Sergey Galtsev (Inactive) |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | SSL, logging, replication, ssl, ssl-certificate, x509 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
5 servers, all Ubuntu 20.04 minimal, 2vcpu, 2Gb ram, 40Gb SSD disks, nothing running except MongoDB |
||
| Attachments: |
|
| Operating System: | ALL |
| Steps To Reproduce: | Install MongoDB 5.0.7 Create self-signed certificates Init replica set Restart servers |
| Sprint: | Security 2022-06-13, Security 2022-06-27 |
| Participants: |
| Description |
| Comments |
| Comment by Oleg Rekutin [ 13/Sep/23 ] | |||||||||||||||
|
ilari@tahtoo.fi "Attempt to switch database target during SASL Authentication" has been fixed in | |||||||||||||||
| Comment by Sergey Galtsev (Inactive) [ 23/Jun/22 ] | |||||||||||||||
|
ilari@tahtoo.fi please indicate whether you are interested in further investigation, otherwise I shall be closing the ticket shortly | |||||||||||||||
| Comment by Sergey Galtsev (Inactive) [ 09/Jun/22 ] | |||||||||||||||
|
Hi ilari@tahtoo.fi. Can you please describe in details how are you launching the cluster? Some apps used in testing, namely mtools actually attempt to connect to cluster, which gets logged. You will not see it in 5.x, but in 6.0 you can see client metadata in log file (id: 51800), and if it isn't mongod or mongos, chances are that something else is connecting. Log entry might look as such (irrelevant information removed):
Please retest using a 6.0 executable and let us know what the logs show. If you don't mind, please do attach full logs to the ticket, not just screenshots, as we need to be able to analyze them. | |||||||||||||||
| Comment by Chris Kelly [ 24/May/22 ] | |||||||||||||||
|
Hello Heikki, Thanks for your patience on this. After further investigation, this issue looks like it exists in at least 4.2.19, 4.4.8, and 5.0.7 after testing. It sounds like this is not intended, so I'll forward this to the Security team to take a look at this logging behavior. I was also able to replicate this without any clients involved. Thanks for your report, and the additional information on this!
| |||||||||||||||
| Comment by Heikki P [ 12/May/22 ] | |||||||||||||||
|
Thank you for the reply. We are not using MONGODB-X509 authentication for users, only the SCRAM (username / password) -authentication mechanism, except for the replica set members, which (to my understanding) are using MONGODB-X509 for authentication when `clusterAuthMode: x509` is set, like we have. Also, we actually did use different values for OU in our client and server certificates (but same O), and we didn't specify DC at all. I attempted to reduce the problem to it's most minimal form:
Here are the certificates' subject fields:
Unless I'm understanding things backwards, this should fulfil the requirements?] ?
To match, the certificate must match all specifications of these attributes, even the non-specification of these attributes. The order of the attributes does not matter. In the following example, the two DN's contain matching specifications for O, OU as well as the non-specification of the DC attribute.
Also, this requirement specified is fulfilled: Only cluster member x509 certificates should use the same O, OU, and DC attribute combinations. Even with this setup, when the replica set starts, logs get these warnings:
| |||||||||||||||
| Comment by Chris Kelly [ 11/May/22 ] | |||||||||||||||
|
Hi Heikki, After looking into your issue, it appears this is likely working as intended. Specifically, the documentation provides guidance on using x509 certificates with MongoDB. If a client x.509 certificate's subject matches the O, OU, and DC attributes of the Member x.509 Certificate (or tlsX509ClusterAuthDNOverride, if set) exactly, the client connection is accepted, full permissions are granted, and a warning message appears in the log. Only cluster member x509 certificates should use the same O, OU, and DC attribute combinations. The following warnings are attributable to this issue:
This warning message can show up when all of the following are true:
Because this sounds like what you have set up currently, it is likely this is the issue and you may want to consider changing the O/OU-DC between the certificateKeyFile and the server's certificate. I'm going to close this one for now, but if you have further questions, feel free to check out our MongoDB Developer Community Forums for more help. If the discussion there leads you to suspect a bug in the MongoDB server, then we'd want to investigate it as a possible bug here in the SERVER project. Regards, |