Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-35196

Unable to X.509 authenticate using a client certificate with a subjectAltName component

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 4.0.0-rc3, 4.1.1
    • Affects Version/s: 4.0.0-rc0
    • Component/s: None
    • None
    • Fully Compatible
    • ALL
    • Hide

      Generate appropriate PEM keyfiles. Have the subject for your client certificate include a subjectAltName component

      Start mongod

      Insert user with the username matching the client certificate subject.

      Connect to the mongod using the client certificate and try to authenticate using X.509 auth.

      Show
      Generate appropriate PEM keyfiles. Have the subject for your client certificate include a subjectAltName component Start mongod Insert user with the username matching the client certificate subject. Connect to the mongod using the client certificate and try to authenticate using X.509 auth.
    • Platforms 2018-06-18

      I believe this is a regression introduced in 4.0.0-rc0. The same automated test of ours that triggered this did not have this problem with 3.7.9. I have seen this happen on Amazon Linux and macOS.

      Basically, if I have a PEM key file with a certificate with a subjectAltName component:

      $ openssl x509 -in /tmp/mms-automation/test/output/certificates/pem-967246847 -inform PEM -subject -nameopt RFC2253
      subject= subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan
      

      And that user exists on the mongod:

      MongoDB Enterprise csrs:PRIMARY> db.system.users.find({})
      { "_id" : "$external.subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "user" : "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan", "db" : "$external", "credentials" : { "external" : true }, "roles" : [ { "role" : "backup", "db" : "admin" }, { "role" : "clusterAdmin", "db" : "admin" }, { "role" : "dbAdminAnyDatabase", "db" : "admin" }, { "role" : "readWriteAnyDatabase", "db" : "admin" }, { "role" : "restore", "db" : "admin" }, { "role" : "userAdminAnyDatabase", "db" : "admin" } ] }
      

      This is what happens when I try to authenticate:

      $ /tmp/mms-automation/test/versions/mongodb-linux-x86_64-enterprise-amzn64-4.0.0-rc0/bin/mongo --ssl --sslCAFile /tmp/mms-automation/test/output/certificates/mmsCA.pem --sslPEMKeyFile /tmp/mms-automation/test/output/certificates/pem-967246847 `hostname -f`:9007
      MongoDB shell version v4.0.0-rc0
      connecting to: mongodb://ip-10-113-168-251.ec2.internal:9007/test
      MongoDB server version: 4.0.0-rc0
      MongoDB Enterprise csrs:PRIMARY> use $external
      switched to db $external
      MongoDB Enterprise csrs:PRIMARY> db.auth({mechanism: "MONGODB-X509", user: "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"})
      Error: Username "subjectAltName=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan" does not match the provided client certificate user "2.5.29.17=myAltName,emailAddress=user@mongodb.com,C=US,ST=NewYork,L=NewYorkCity,O=MongoDB,OU=MMSAutomationClient,CN=userWithEmailAndSan"
      0
      

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            tim.olsen@mongodb.com Timothy Olsen (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: