<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:34:38 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[GODRIVER-643] Verify server certificates using CAs in system certificate stores</title>
                <link>https://jira.mongodb.org/browse/GODRIVER-643</link>
                <project id="14289" key="GODRIVER">Go Driver</project>
                    <description>&lt;p&gt;&lt;b&gt;Revised&lt;/b&gt;:&lt;br/&gt;
 The tools need to support CAs in system certificate stores. Specifically, the following Evergreen tasks that passed using OpenSSL-based tools need to pass using the Go driver:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://evergreen.mongodb.com/task/mongo_tools_macOS_1012_ssl_native_cert_ssl_f432fe184a63baeb3724f18dcf0b31766af36163_19_03_22_17_32_32&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;native-cert-ssl on Mac&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://evergreen.mongodb.com/task/mongo_tools_windows_64_ssl_native_cert_ssl_f432fe184a63baeb3724f18dcf0b31766af36163_19_03_22_17_32_32&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;native-cert-ssl on Windows&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Go 1.12 (and 1.11.6) claim to have fixed the Mac issue, so when that toolchain is available we can test against it.&lt;/p&gt;

&lt;p&gt;For Windows, it doesn&apos;t look like Go has fixed it upstream, so we need to find an alternate way of getting the system CAs. That could be something like the &lt;a href=&quot;https://github.com/10gen/openssl/blob/master/system_certs.c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;go-openssl wrapper system_certs.c&lt;/a&gt; code, or, perhaps preferably, something using Go&apos;s &lt;a href=&quot;https://golang.org/pkg/syscall/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;syscall&lt;/a&gt; library or &lt;a href=&quot;https://godoc.org/golang.org/x/sys/windows&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;sys/x/windows&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Original&lt;/b&gt;&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;The mongodb tools currently have the ability on Windows and Mac to authenticate a server against a CA installed in the system certificate store. This is achieved via the go-openssl wrapper which loads Windows/Mac system CAs into an openssl X509 store. See &lt;a href=&quot;https://github.com/10gen/openssl/blob/master/system_certs.c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;this code&lt;/a&gt; called via &lt;a href=&quot;https://github.com/10gen/openssl/blob/master/system_certs.go&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;this code&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The Go driver needs to implement some equivalent functionality or the tools can&apos;t use the Go driver for TLS support.&lt;/p&gt;

&lt;p&gt;For Mac, there seems to be support already for system CAs, but with some outstanding bugs, e.g. &lt;a href=&quot;https://github.com/golang/go/issues/24652&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;go#24652&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;For Windows, this might be addressed in Go 1.12 &#8211; see &lt;a href=&quot;https://github.com/golang/go/issues/16736&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;go#16736&lt;/a&gt; or we might need to do the equivalent ourselves if the patch doesn&apos;t get merged in time.&lt;/p&gt;

&lt;p&gt;Another option for Windows might be to implement schannels support. I&apos;ve seen a package claiming support, &lt;a href=&quot;https://github.com/alexbrainman/sspi&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;alexbrainman/sspi&lt;/a&gt;, but have no idea how functional/usable it is.&lt;/p&gt;&lt;/blockquote&gt;</description>
                <environment></environment>
        <key id="635960">GODRIVER-643</key>
            <summary>Verify server certificates using CAs in system certificate stores</summary>
                <type id="2" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14711&amp;avatarType=issuetype">New Feature</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13203">Gone away</resolution>
                                        <assignee username="david.golden@mongodb.com">David Golden</assignee>
                                    <reporter username="david.golden@mongodb.com">David Golden</reporter>
                        <labels>
                            <label>devexp-product</label>
                    </labels>
                <created>Mon, 19 Nov 2018 14:39:26 +0000</created>
                <updated>Fri, 27 Oct 2023 20:01:32 +0000</updated>
                            <resolved>Wed, 15 May 2019 20:21:14 +0000</resolved>
                                                                    <component>Connections</component>
                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="2247985" author="david.golden" created="Wed, 15 May 2019 20:21:05 +0000"  >&lt;p&gt;Testing with custom macos hosts with CA installed in the System keychain passed tools tests.  Closing this ticket as &quot;gone away&quot;.&lt;/p&gt;</comment>
                            <comment id="2232411" author="david.golden" created="Thu, 2 May 2019 17:01:38 +0000"  >&lt;p&gt;I believe this issue can be resolved if BUILD-8386 gets the tools passing their tests.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;tl;dr&lt;/b&gt;: Go 1.12 provides support, but CA certificates needed to be installed differently on Evergreen to be recognized.&lt;/p&gt;

&lt;p&gt;Windows:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;System CA tests for the MongoDB server note that with SChannel (i.e. Windows native crypto), CAs must be installed in the Root store, not a user store.  When MongoDB tools tests make that same change, tests pass, indicating that the driver is able to validate the server certificate via the installed CA.&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Mac:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Tests using &lt;a href=&quot;https://github.com/FiloSottile/mkcert&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;mkcert&lt;/a&gt; based certificates proved that Go 1.12 will validate a server certificate from a CA in the System keychain.&lt;/li&gt;
	&lt;li&gt;Additional tests show that a CA in the user&apos;s login keychain can also work, but only if installed with the &lt;tt&gt;security&lt;/tt&gt; CLI tool without the &quot;&amp;#45;d&quot; flag.  With that flag, while the certificates appear identical in the Keychain Access app, some internal, invisible trust setting prevents it from being available for validating the server cert.&lt;/li&gt;
	&lt;li&gt;Chef recipes for Mac Evergreen images use the &quot;&amp;#45;d&quot; flag for the login keychain; certificates are not installed during tests so rely on the one installed during provisioning.&lt;/li&gt;
	&lt;li&gt;Most internet examples of installing a CA to a keychain use the System keychain (which &lt;b&gt;does&lt;/b&gt; require the &quot;&amp;#45;d&quot; flag) &amp;#8211; just like mkcert &amp;#8211; so our proposed remedy in BUILD-8386 is to install the CA cert into the System keychain.&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="2066497" author="david.golden" created="Mon, 19 Nov 2018 16:39:03 +0000"  >&lt;p&gt;SetDialer is a possibility.  We&apos;d prefer to avoid it as it means we need to keep shipping the openssl DLL with Windows builds.  Part of the goal in switching to the Go driver is to stop needing openssl and to stop having to maintain connection logic outside the driver.&lt;/p&gt;</comment>
                            <comment id="2066400" author="jeff.yemin" created="Mon, 19 Nov 2018 15:59:54 +0000"  >&lt;p&gt;An application can already configure a Connection to use the openssl wrapper via &lt;tt&gt;func (c *ClientOptions) SetDialer(d ContextDialer) *ClientOptions&lt;/tt&gt;.  This is essentially what mongosqld is doing, for example.  Is there a reason that&apos;s not a workable solution?&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                                        </outwardlinks>
                                                                <inwardlinks description="is depended on by">
                                        <issuelink>
            <issuekey id="450201">TOOLS-1833</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="523002">GODRIVER-351</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hu3edj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>