Uploaded image for project: 'Ruby Driver'
  1. Ruby Driver
  2. RUBY-1774

Adding a certificate file with CA+intermediate certs only adds intermediate cert

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 2.8.0.rc0
    • Component/s: Sessions

      When creating the SSL socket against the server, if a CA cert file containing an intermediate certificate and a root CA certificate is used, only the intermediate certificate is actually added to the X509 Store and the PEER validation may fail.

      OpenSSL::X509::Certificate.new is only able to parse the first certificate found in the data provided.

      The code is https://github.com/mongodb/mongo-ruby-driver/blob/master/lib/mongo/socket/ssl.rb#L180

      cert_store.add_cert(OpenSSL::X509::Certificate.new(File.open(options[:ssl_ca_cert])))
      

      OpenSSL::X509::Store.new.add_file instead, is able to add all the certificates found in a file:

      add_file(file) → self
      Adds the certificates in file to the certificate store. The file can contain multiple PEM-encoded certificates.

      see https://ruby-doc.org/stdlib-2.4.0/libdoc/openssl/rdoc/OpenSSL/X509/Store.html

      The fix would be to use add_file instead of manually creating a Certificate object and then adding it to the X509 store

            Assignee:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Reporter:
            sgirones Salvador Gironès
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: