<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:39:05 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[GODRIVER-2650] Fix incorrect X509 certificate being used as username for authentication</title>
                <link>https://jira.mongodb.org/browse/GODRIVER-2650</link>
                <project id="14289" key="GODRIVER">Go Driver</project>
                    <description>&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-2263&quot; title=&quot;Not loading all certs in a PEM file&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-2263&quot;&gt;&lt;del&gt;GODRIVER-2263&lt;/del&gt;&lt;/a&gt; changes the driver&apos;s certificate parsing behavior to only parse the first certificate rather than the last certificate, despite the ticket title suggesting that all certificates are being loaded.&lt;/p&gt;

&lt;p&gt;In that ticket, while all certificates are &lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/blob/8bcd4675d0e9b329df1b0899d431c54ef19ac265/mongo/options/clientoptions.go#L1118&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;concatenated with newlines by the driver and passed to tls.X509KeyPair()&lt;/a&gt;, &lt;em&gt;and&lt;/em&gt; while &lt;a href=&quot;https://github.com/golang/go/blob/d02fceb95e185478ba04bad3a2f9bd8f1d427e1e/src/crypto/tls/tls.go#L252&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;tls.X509KeyPair() iterates over all certificates and un-concatenates them using pem.Decode()&lt;/a&gt;, the tls.X509KeyPair() function always &lt;a href=&quot;https://github.com/golang/go/blob/d02fceb95e185478ba04bad3a2f9bd8f1d427e1e/src/crypto/tls/tls.go#L294&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;statically takes the first certificate&lt;/a&gt; anyway. So providing all certificates to tls.X509KeyPair(), rather than the first or last one, doesn&apos;t do much.&lt;/p&gt;

&lt;p&gt;Ultimately, this changes the behavior of the Go driver from using the last certificate to now using the first certificate. Still, this is not an issue in itself since it aligns with OpenSSL and other libraries&apos; behaviors, which also use the first certificate if multiple are provided. On the whole, the only concern with &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-2263&quot; title=&quot;Not loading all certs in a PEM file&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-2263&quot;&gt;&lt;del&gt;GODRIVER-2263&lt;/del&gt;&lt;/a&gt; is that the ticket&apos;s title is a bit misleading.&lt;/p&gt;

&lt;p&gt;But there is a separate problem w.r.t. which certificate is used as the username for X509 auth. When the Go driver loops over the certificates, the &lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/blob/8bcd4675d0e9b329df1b0899d431c54ef19ac265/mongo/options/clientoptions.go#L1070&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;certDecodedBlock variable takes on the last value (the last certificate)&lt;/a&gt;. This certificate&apos;s Subject is returned as a string at the end of that function, and this later has an erroneous value &lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/blob/8bcd4675d0e9b329df1b0899d431c54ef19ac265/mongo/options/clientoptions.go#L423&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;when setting the connection string&apos;s username&lt;/a&gt; if there is more than one certificate per PEM file, since it doesn&apos;t correspond to the behavior changed by &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-2263&quot; title=&quot;Not loading all certs in a PEM file&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-2263&quot;&gt;&lt;del&gt;GODRIVER-2263&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;So for this ticket, the work is simple. This can be fixed by changing this line:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;certDecodedBlock = currentBlock.Bytes &lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;to this:&lt;/p&gt;
&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;if certDecodedBlock == nil {&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt; &#160; &#160;certDecodedBlock = currentBlock.Bytes&#160;&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;} &lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;
&lt;p&gt;This will make certDecodedBlock take on the value of the first certificate, aligning it with the behavior introduced in &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-2263&quot; title=&quot;Not loading all certs in a PEM file&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-2263&quot;&gt;&lt;del&gt;GODRIVER-2263&lt;/del&gt;&lt;/a&gt;.&lt;/p&gt;</description>
                <environment></environment>
        <key id="2179696">GODRIVER-2650</key>
            <summary>Fix incorrect X509 certificate being used as username for authentication</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="qingyang.hu@mongodb.com">Qingyang Hu</assignee>
                                    <reporter username="evgeni.dobranov@mongodb.com">Evgeni Dobranov</reporter>
                        <labels>
                    </labels>
                <created>Wed, 9 Nov 2022 20:16:24 +0000</created>
                <updated>Sat, 28 Oct 2023 11:37:26 +0000</updated>
                            <resolved>Fri, 16 Dec 2022 22:34:39 +0000</resolved>
                                                    <fixVersion>1.12.0</fixVersion>
                    <fixVersion>1.12.0-alpha1</fixVersion>
                                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="5061597" author="xgen-internal-githook" created="Fri, 16 Dec 2022 22:33:54 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Qingyang Hu&apos;, &apos;email&apos;: &apos;103950869+qingyang-hu@users.noreply.github.com&apos;, &apos;username&apos;: &apos;qingyang-hu&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/GODRIVER-2650&quot; title=&quot;Fix incorrect X509 certificate being used as username for authentication&quot; class=&quot;issue-link&quot; data-issue-key=&quot;GODRIVER-2650&quot;&gt;&lt;del&gt;GODRIVER-2650&lt;/del&gt;&lt;/a&gt; Fix incorrect X509 certificate being used as username for authentication. (#1148)&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-go-driver/commit/4edf9f469a00765b6e06199c3ecaff7e65bcbbac&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-go-driver/commit/4edf9f469a00765b6e06199c3ecaff7e65bcbbac&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="4968351" author="evgeni.dobranov" created="Wed, 9 Nov 2022 20:19:30 +0000"  >&lt;p&gt;CC &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=tim.fogarty%40mongodb.com&quot; class=&quot;user-hover&quot; rel=&quot;tim.fogarty@mongodb.com&quot;&gt;tim.fogarty@mongodb.com&lt;/a&gt; for awareness / for helping with investigating this (we have a similar situation in the DB Tools)&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="1364027">TOOLS-2598</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="1958835">GODRIVER-2263</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr6jqv:s079</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>