<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 04:51:23 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-39217] TLS intermediate CA certificate not working with macOS and 4.0.5</title>
                <link>https://jira.mongodb.org/browse/SERVER-39217</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Combination of the following conditions causes a failure to connect with TLS from mongo shell:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Server&apos;s PEMKeyFile includes the server key and cert, and also the intermediate CA cert that signed the server cert&lt;/li&gt;
	&lt;li&gt;mongo shell CAFile is the root CA cert that signed the intermediate cert&lt;/li&gt;
	&lt;li&gt;Running MongoDB 4.0.5 (does not fail on 3.6)&lt;/li&gt;
	&lt;li&gt;Running on macOS (does not fail on Linux)&lt;/li&gt;
&lt;/ul&gt;
</description>
                <environment></environment>
        <key id="678655">SERVER-39217</key>
            <summary>TLS intermediate CA certificate not working with macOS and 4.0.5</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="sara.golemon@mongodb.com">Sara Golemon</assignee>
                                    <reporter username="spencer.brown@mongodb.com">Spencer Brown</reporter>
                        <labels>
                    </labels>
                <created>Sun, 27 Jan 2019 14:46:14 +0000</created>
                <updated>Sun, 29 Oct 2023 22:24:44 +0000</updated>
                            <resolved>Fri, 1 Mar 2019 16:07:15 +0000</resolved>
                                    <version>4.0.5</version>
                                    <fixVersion>4.0.8</fixVersion>
                    <fixVersion>4.1.9</fixVersion>
                                    <component>Security</component>
                                        <votes>1</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="2188866" author="xgen-internal-githook" created="Fri, 22 Mar 2019 17:18:26 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;, &apos;name&apos;: &apos;Sara Golemon&apos;, &apos;username&apos;: &apos;sgolemon&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-39217&quot; title=&quot;TLS intermediate CA certificate not working with macOS and 4.0.5&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-39217&quot;&gt;&lt;del&gt;SERVER-39217&lt;/del&gt;&lt;/a&gt; SecureTransport with Intermediate CA&lt;/p&gt;

&lt;p&gt;(cherry picked from commit 987e5fc980b2288371ebd2c133b58466cc646d60)&lt;br/&gt;
Branch: v4.0&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/0eecc58363a2173d9a2bc91e9e7dc8665e12bfac&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/0eecc58363a2173d9a2bc91e9e7dc8665e12bfac&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="2167515" author="xgen-internal-githook" created="Fri, 1 Mar 2019 16:06:40 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Sara Golemon&apos;, &apos;username&apos;: &apos;sgolemon&apos;, &apos;email&apos;: &apos;sara.golemon@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-39217&quot; title=&quot;TLS intermediate CA certificate not working with macOS and 4.0.5&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-39217&quot;&gt;&lt;del&gt;SERVER-39217&lt;/del&gt;&lt;/a&gt; SecureTransport with Intermediate CA&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/987e5fc980b2288371ebd2c133b58466cc646d60&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/987e5fc980b2288371ebd2c133b58466cc646d60&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="2142538" author="spencer.brown" created="Fri, 8 Feb 2019 16:10:05 +0000"  >&lt;p&gt;I see from the code review that there&apos;s a discussion about requiring intermediate CA certificates to be placed in the CAFile (or clusterCAFile I guess), and banning them from the PEMKeyFile, at least for non-OpenSSL environments.&lt;/p&gt;

&lt;p&gt;I would be fine with that. I would point out that a fix is still needed for macOS, because I still get a failure on 4.0.5 when the intermediate CA certificate is in the CAFile. But you probably knew that.&lt;/p&gt;

&lt;p&gt;Banning intermediate CA certs from the PEMKeyFile would not even be a regression on macOS (and I guess Windows), because it doesn&apos;t work at all since 4.0. We just need to be sure to document it.&lt;/p&gt;

&lt;p&gt;Making &lt;/p&gt;</comment>
                            <comment id="2141296" author="sara.golemon" created="Thu, 7 Feb 2019 17:31:54 +0000"  >&lt;p&gt;Quick update: I&apos;ve identified the cause and should be able to work out a fix.  In the mean time, if you convert your server key bundle from a .pem file to PKCS#12, then the current release version should &quot;just work&quot;.  I&apos;ll update once I have a proper fix.&lt;/p&gt;</comment>
                            <comment id="2134747" author="spencer.brown" created="Fri, 1 Feb 2019 15:03:05 +0000"  >&lt;p&gt;Tried moving the intermediate CA certificate into the server&apos;s CAFile along with the root CA certificate. So the server&apos;s configured CAFile has the intermediate and root CA certificates and the PEMKeyFile has the server key and certificate. On macOS:&lt;/p&gt;

&lt;p/&gt;
&lt;div id=&quot;syntaxplugin&quot; class=&quot;syntaxplugin&quot; style=&quot;border: 1px dashed #bbb; border-radius: 5px !important; overflow: auto; max-height: 30em;&quot;&gt;
&lt;table cellspacing=&quot;0&quot; cellpadding=&quot;0&quot; border=&quot;0&quot; width=&quot;100%&quot; style=&quot;font-size: 1em; line-height: 1.4em !important; font-weight: normal; font-style: normal; color: black;&quot;&gt;
		&lt;tbody &gt;
				&lt;tr id=&quot;syntaxplugin_code_and_gutter&quot;&gt;
						&lt;td  style=&quot; line-height: 1.4em !important; padding: 0em; vertical-align: top;&quot;&gt;
					&lt;pre style=&quot;font-size: 1em; margin: 0 10px;  margin-top: 10px;   margin-bottom: 10px;  width: auto; padding: 0;&quot;&gt;&lt;span style=&quot;color: black; font-family: &apos;Consolas&apos;, &apos;Bitstream Vera Sans Mono&apos;, &apos;Courier New&apos;, Courier, monospace !important;&quot;&gt;2019-02-01T08:56:54.900-0600 E NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected&lt;/span&gt;&lt;/pre&gt;
			&lt;/td&gt;
		&lt;/tr&gt;
			&lt;/tbody&gt;
&lt;/table&gt;
&lt;/div&gt;
&lt;p/&gt;

&lt;p&gt;and &lt;tt&gt;openssl s_client connect -showcerts&lt;/tt&gt; shows that the server is only sending the server certificate.&lt;/p&gt;

&lt;p&gt;but the same setup works on Linux with 4.0.5, and on macOS with 3.6.10, and &lt;tt&gt;openssl s_client -showcerts&lt;/tt&gt; shows that the server is sending all three certificates in those cases.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10420">
                    <name>Backports</name>
                                            <outwardlinks description="backported by">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="207305" name="repro.tar.gz" size="9438" author="spencer.brown@mongodb.com" created="Sun, 27 Jan 2019 14:45:03 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_12450" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Backport Requested</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="15640"><![CDATA[v4.0]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10011"><![CDATA[Minor Change]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 7 Feb 2019 17:31:54 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        4 years, 46 weeks, 5 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            4 years, 46 weeks, 5 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10021"><![CDATA[OS X]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>sara.golemon@mongodb.com</customfieldvalue>
            <customfieldvalue>spencer.brown@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hukcvb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hua9gf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="2798">Security 2019-02-11</customfieldvalue>
    <customfieldvalue id="2799">Security 2019-02-25</customfieldvalue>
    <customfieldvalue id="2800">Security 2019-03-11</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;See attached file repro.tar.gz and read the README.markdown file for full repro details and results&lt;/p&gt;

&lt;p&gt;note the file has some private keys but they were generated just for this repro&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hujz4n:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>