<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:38:11 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[GODRIVER-2263] Not loading all certs in a PEM file</title>
                <link>https://jira.mongodb.org/browse/GODRIVER-2263</link>
                <project id="14289" key="GODRIVER">Go Driver</project>
                    <description>&lt;h4&gt;&lt;a name=&quot;Summary&quot;&gt;&lt;/a&gt;Summary&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;When using &lt;tt&gt;tlsCertificateKeyFile&lt;/tt&gt; or &lt;tt&gt;sslClientCertificateKeyFile&lt;/tt&gt; options, &lt;tt&gt;ClientOptions.ApplyURI()&lt;/tt&gt; only loads the final cert in the provided PEM file. This is undesired when a PEM contains multiple certs to be considered during a TLS hand shake.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;HowtoReproduce&quot;&gt;&lt;/a&gt;How to Reproduce&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;Create a PEM file with multiple certs and use either&lt;/em&gt; &lt;em&gt;&lt;tt&gt;tlsCertificateKeyFile&lt;/tt&gt; or &lt;tt&gt;sslClientCertificateKeyFile&lt;/tt&gt;&lt;/em&gt; &lt;em&gt;options to load the PEM file. Only the final cert will be loaded into the tls config cert list.&lt;/em&gt;&lt;/p&gt;
&lt;h4&gt;&lt;a name=&quot;AdditionalBackground&quot;&gt;&lt;/a&gt;Additional Background&lt;/h4&gt;

&lt;p&gt;&lt;em&gt;Code change that resolves this bug can be found here &lt;a href=&quot;https://github.com/mailgun/mongo-go-driver/pull/1/commits/71f1654d022eaa0234345143edd0ee157ecb2077&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mailgun/mongo-go-driver/pull/1/commits/71f1654d022eaa0234345143edd0ee157ecb2077&lt;/a&gt; If this bug is approved will submit a PR against the main repo.&lt;/em&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="1958835">GODRIVER-2263</key>
            <summary>Not loading all certs in a PEM file</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="10300" iconUrl="https://jira.mongodb.org/images/icons/priorities/medium.svg">Unknown</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="kevin.albertson@mongodb.com">Kevin Albertson</assignee>
                                    <reporter username="thrawn01@gmail.com">Derrick Wippler</reporter>
                        <labels>
                    </labels>
                <created>Wed, 5 Jan 2022 15:26:13 +0000</created>
                <updated>Sat, 28 Oct 2023 11:37:39 +0000</updated>
                            <resolved>Mon, 24 Jan 2022 20:27:14 +0000</resolved>
                                                    <fixVersion>1.8.3</fixVersion>
                                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="4310427" author="xgen-internal-githook" created="Mon, 24 Jan 2022 20:25:44 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Derrick J. Wippler&apos;, &apos;email&apos;: &apos;thrawn01@gmail.com&apos;, &apos;username&apos;: &apos;thrawn01&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-2263&quot; title=&quot;Not loading all certs in a PEM file&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-2263&quot;&gt;&lt;del&gt;GODRIVER-2263&lt;/del&gt;&lt;/a&gt; Load all certs in a PEM (#834)&lt;br/&gt;
Branch: release/1.8&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/commit/67dcab6e1490381e94b1e87c6442afeeafb76186&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/commit/67dcab6e1490381e94b1e87c6442afeeafb76186&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4310418" author="xgen-internal-githook" created="Mon, 24 Jan 2022 20:23:05 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Derrick J. Wippler&apos;, &apos;email&apos;: &apos;thrawn01@gmail.com&apos;, &apos;username&apos;: &apos;thrawn01&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-2263&quot; title=&quot;Not loading all certs in a PEM file&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-2263&quot;&gt;&lt;del&gt;GODRIVER-2263&lt;/del&gt;&lt;/a&gt; Load all certs in a PEM (#834)&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/commit/ae48c67470353306985af3466d20d1241d972296&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/commit/ae48c67470353306985af3466d20d1241d972296&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4283395" author="JIRAUSER1269684" created="Mon, 10 Jan 2022 16:29:53 +0000"  >&lt;p&gt;PR Created here &lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/pull/834&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/pull/834&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4279843" author="kevin.albertson" created="Fri, 7 Jan 2022 01:54:51 +0000"  >&lt;p&gt;Thank you for the report &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=thrawn01%40gmail.com&quot; class=&quot;user-hover&quot; rel=&quot;thrawn01@gmail.com&quot;&gt;thrawn01@gmail.com&lt;/a&gt;! I was able to reproduce the &quot;private key does not match public key&quot; with testing certificates and private keys &lt;a href=&quot;https://github.com/kevinAlbs/go-bootstrap/tree/master/investigations/godriver2263&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;. Applying the linked commit resolved the error.&lt;/p&gt;

&lt;p&gt;To compare with another driver, the C driver uses &lt;a href=&quot;https://github.com/mongodb/mongo-c-driver/blob/1.20.0/src/libmongoc/src/mongoc/mongoc-openssl.c#L474&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;SSL_CTX_use_certificate_chain_file&lt;/a&gt;:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;SSL_CTX_use_certificate_chain_file() loads a certificate chain from file into ctx. The certificates must be in PEM format and must be sorted starting with the subject&apos;s certificate (actual client or server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;If you are able to submit a PR, it would be much appreciated!&lt;/p&gt;
</comment>
                            <comment id="4276347" author="JIRAUSER1264236" created="Wed, 5 Jan 2022 15:44:23 +0000"  >&lt;p&gt;In the scenario where a client certificate is necessary to connect to Mongo, the pem may contain: a private key, a client cert, and one or more intermediate CA certs.&lt;/p&gt;

&lt;p&gt;Golang&apos;s TLS expects pems to contain the &lt;a href=&quot;https://pkg.go.dev/crypto/tls#LoadX509KeyPair&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;leaf (client) certificate first&lt;/a&gt;, then the intermediate certificates.&lt;/p&gt;

&lt;p&gt;This logic conflicts with Mongo&apos;s &lt;tt&gt;ClientOptions.ApplyURI()&lt;/tt&gt; parsing only the last certificate in the pem. Then, &lt;tt&gt;mongo.NewClient()&lt;/tt&gt; fails validating options with &quot;private key does not match public key&quot; because it paired the pem private key with an intermediate CA cert instead of the client cert.&lt;/p&gt;

&lt;p&gt;This fix is necessary to resolve this conflict.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10420">
                    <name>Backports</name>
                                                                <inwardlinks description="backports">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="2179696">GODRIVER-2650</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1968806">DRIVERS-2038</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_21350" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Cloud Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="22240"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hzz5rj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>