Uploaded image for project: 'MongoDB Shell'
  1. MongoDB Shell
  2. MONGOSH-1133

Support non-standard root ca for SSL

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 1.2.1
    • Affects Version/s: None
    • Component/s: Connectivity, Tech debt
    • None
    • 5
    • Iteration Versailles
    • Needed
    • Hide

      Mongosh now supports a --tlsUseSystemCA option. This will load additional certificates from the system CA store, removing the need to specify a file with --tlsCAFile if the certificate is known to the OS. There is no corresponding connection string option.

      Show
      Mongosh now supports a --tlsUseSystemCA option. This will load additional certificates from the system CA store, removing the need to specify a file with --tlsCAFile if the certificate is known to the OS. There is no corresponding connection string option.

      notes

      https://www.npmjs.com/package/ssl-root-cas

      node-windows-root-certs

      https://www.npmjs.com/package/node-windows-root-certs

      Enables use of Windows root certificates in nodejs directly, without environment settings or certificate files.

      Tested on node 12.10.0

      Uses for this module:
      In a coporate envionment
      If they have a WAF (Web Application Firewall - a man in the middle), the root certificate for the WAF is often installed as a certificate in Windows. NodeJS has now access to this certifcate, and so nodeJS based applications will fail without special measures.

      You need to https or tls to a server with a self signed certificate
      Enables the root certificate for your server to be added, either by adding in Windows, or manually.

      I tried but failed to get this to work in test.js with badssl.com

      For 'Older' versions of NodeJS
      If the certificates inside NodeJS expire, the application will stop working....

      What it does
      This module provides two features:

      1. reading of the Windows root certificates
      A function is provided to read the Windows Root certifcates returning an array similar to node's own rootcertificates array.

      2. patching tls
      A function is provided which will patch the tls module such that all HTTPS or other tls based secure communication will use the provided certificates - either a complete certificate list or, a list additional to the internal nodeJS list.

      Note: if tls is patched AFTER a successful connection to a site, then it's likely that the new/modified certificates will not be used for a subsequent connection, as the connection itself may be cached.

      win-ca

      https://www.npmjs.com/package/win-ca

      Node uses a statically compiled, manually updated, hardcoded list of certificate authorities, rather than relying on the system's trust store... Read more

      It's somewhat non-intuitive under any OS, but Windows differs from most of them
      by having its own trust store, fully incompatible with [OpenSSL|ttps://github.com/ukoloff/openssl-win-root].

      This package is intended to fetch Root CAs from Windows' store (Trusted Root Certification Authorities) and make them available to Node.js application with minimal efforts.

            Assignee:
            anna.henningsen@mongodb.com Anna Henningsen
            Reporter:
            anna.henningsen@mongodb.com Anna Henningsen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: