-
Type: Improvement
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Connections
-
None
Currently the driver only supports sending a single, leaf certificate to the server when connecting. In other words, if an application wishes to connect with TLS verification, the leaf client certificate must be signed by the CA certificate directly.
Other drivers and MongoDB shell support certificate chains for client certificates, where the leaf certificate is signed by an intermediate certificate and the intermediate certificate is signed by the CA certificate.
Proper certificate chain support depends on ruby openssl library exposing SSL_CTX_use_certificate_chain_file OpenSSL function (https://linux.die.net/man/3/ssl_ctx_use_certificate_chain_file), which would make OpenSSL parse the certificate chain and make use of it. This support as far as I can tell is currently missing; I created https://github.com/ruby/openssl/issues/254 requesting it.
In the mean time, a workaround has been implemented in ruby-kafka (https://github.com/venuenext/ruby-kafka/commit/9495f5daf254b43bc88062acad9359c5f32cb8b5) which is to manually parse the certificate bundle, extract the intermediate certificates and pass them in extra_chain_cert attribute of the SSL context. This works but is brittle because we would not be using OpenSSL to parse the certificate bundle. Until ruby-openssl supports certificate chains, this seems to be the best option.
Ruby driver already appears to be capable of verifying server certificate when that certificate is part of a chain (signed by an intermediate cert).