<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:45:38 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CSHARP-3560] x509 Auth with intermediate CA</title>
                <link>https://jira.mongodb.org/browse/CSHARP-3560</link>
                <project id="10041" key="CSHARP">C# Driver</project>
                    <description>&lt;p&gt;We have a replica set of 3 nodes. Each nodes authenticates using x509 certificates. Some clients also authenticates using x509 certificates. Everything works if certification path is like this:&lt;br/&gt;
root_ca -&amp;gt; certificate&lt;/p&gt;

&lt;p&gt;but if certification path is&lt;br/&gt;
root_ca -&amp;gt; intermediate_ca -&amp;gt; certificate&lt;/p&gt;

&lt;p&gt;the C# driver cannot connect using x509 auth. Python, mongo command can connect using same certificate just fine. Upon further investigation i assume C# client only sends single certificate for validation.&#160;&lt;/p&gt;

&lt;p&gt;relevant code part used for testing:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;var&#160;certificateCollection&#160;=&#160;&lt;/span&gt;&lt;span style=&quot;color: #006699; font-weight: bold; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;new&lt;/span&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;X509Certificate2Collection();&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;certificateCollection.Import(certificatePath);&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;var&#160;certificateList&#160;=&#160;certificateCollection.Cast&amp;lt;X509Certificate2&amp;gt;().ToList().OrderByDescending(c&#160;=&amp;gt;&#160;c.HasPrivateKey);&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;settings.SslSettings&#160;=&#160;&lt;/span&gt;&lt;span style=&quot;color: #006699; font-weight: bold; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;new&lt;/span&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;SslSettings&#160;{&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;ClientCertificates&#160;=&#160;certificateList,&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;CheckCertificateRevocation&#160;=&#160;&lt;/span&gt;&lt;span style=&quot;color: #006699; font-weight: bold; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;false&lt;/span&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;,&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;&#160;};&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;&lt;b&gt;certificatePath&lt;/b&gt;: location of pfx file containing intermediate CA cert and client cert with key&lt;/p&gt;

&lt;p&gt;List contains two&#160;X509Certificate2 objects. if first certificate in list is intermediate CA, error on mongodb server is:&lt;br/&gt;
 &lt;em&gt;&lt;b&gt;Failed to authenticate CN=xsuser@$external with mechanism MONGODB-X509: AuthenticationFailed: There is no x.509 client certificate matching the user.&lt;/b&gt;&lt;/em&gt;&lt;/p&gt;


&lt;p&gt;But if first certificate in list is client certificate (second intermediate certificate), mongodb says:&#160; &lt;br/&gt;
&lt;b&gt;&lt;em&gt;SSL peer certificate validation failed: unable to verify the first certificate&lt;/em&gt;&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;since mongo command and python client with same certificate chain can connect just fine i assume C# driver has something to do with it. Or maybe i&apos;m&#160; missing something about client&#160;configuration&#160;regarding&#160;x509 auth with intermediate&#160;CA? There is no documentation specific about intermediate CA.&lt;/p&gt;</description>
                <environment>RHEL 7, dotnet  core 3.1, python 2.7</environment>
        <key id="1675896">CSHARP-3560</key>
            <summary>x509 Auth with intermediate CA</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="tomaxsas@gmail.com">Tomas &#381;aleniakas</reporter>
                        <labels>
                    </labels>
                <created>Fri, 9 Apr 2021 08:45:03 +0000</created>
                <updated>Tue, 20 Apr 2021 13:51:53 +0000</updated>
                            <resolved>Tue, 20 Apr 2021 13:51:53 +0000</resolved>
                                    <version>2.9.3</version>
                    <version>2.11.6</version>
                                                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="3727521" author="esha.bhargava" created="Tue, 20 Apr 2021 13:51:53 +0000"  >&lt;p&gt;Closing this ticket since a workaround has been provided for the original issue. I have filed a separate ticket (&lt;a href=&quot;https://jira.mongodb.org/browse/CSHARP-3588&quot; title=&quot;Document limitation whereby SslStream doesn&amp;#39;t send intermediate certs&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CSHARP-3588&quot;&gt;CSHARP-3588&lt;/a&gt;) to document the limitation and linked it to this issue.&#160;&lt;/p&gt;</comment>
                            <comment id="3715009" author="JIRAUSER1259345" created="Tue, 13 Apr 2021 13:28:13 +0000"  >&lt;p&gt;Setting&#160;&lt;tt&gt;SSL_CERT_FILE&lt;/tt&gt;&#160; to intermediate CA certificate issue is solved. So it would be good to mention it in docs as it is .NET Core limitation&lt;/p&gt;</comment>
                            <comment id="3710625" author="james.kovacs" created="Fri, 9 Apr 2021 16:50:42 +0000"  >&lt;p&gt;Hi, Tomas,&lt;/p&gt;

&lt;p&gt;Thank you for reaching out about x509 certificate auth not working with the .NET/C# driver when using an intermediate CA.&lt;/p&gt;

&lt;p&gt;Although we haven&apos;t had time to attempt to reproduce the issue yet, we did find some information that might be helpful to you. Based on some quick research, this appears to be a .NET bug/limitation whereby &lt;tt&gt;SslStream&lt;/tt&gt; doesn&apos;t send intermediate certs from a certificate file:&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/dotnet/runtime/issues/26323&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/dotnet/runtime/issues/26323&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;One suggested workaround is to point to the certificate bundle using the &lt;tt&gt;SSL_CERT_FILE&lt;/tt&gt; environment variable when launching your app:&lt;/p&gt;

&lt;p&gt;SSL_CERT_FILE=/opt/my-app/etc/ca-bundle.crt ./My.App&lt;/p&gt;

&lt;p&gt;We are investigating a fix that would require using the new &lt;tt&gt;SslStreamCertificateContext.Create(X509Certificate2, X509Certificate2Collection, Boolean)&lt;/tt&gt; to build the cert chain. Unfortunately that method was introduced in .NET 5.0 and would require not only changes to the driver but also upgrading your app to target .NET 5.0.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstreamcertificatecontext.create?view=net-5.0&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstreamcertificatecontext.create?view=net-5.0&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;This issue definitely requires further investigation into potential workarounds and fixes as well as reproducing it in our environment so we can be sure of any proposed solutions. We hope that this preliminary information is helpful. Please let us know if you have any additional questions or observations, especially whether the &lt;tt&gt;SSL_CERT_FILE&lt;/tt&gt; environment variable works in your environment.&lt;/p&gt;

&lt;p&gt;Sincerely,&lt;br/&gt;
James&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1683870">CSHARP-3588</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hyp4a7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>