Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-62035

Investigate large delays in `CertGetCertificateChain` on Windows

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Internal Code
    • None
    • Server Security
    • ALL
    • Security 2022-02-07

      SERVER-54900 introduced a new timer to enable TransportLayerASIO handle timeouts during SSL handshaking. The timer causes some of the external_auth tests to fail on Windows (see this patch for example). Those tests consistently fail on Windows, and pass on all other platforms. The cause of failure is very long delays for the mongo shell to connect to a sharded cluster:

      [js_test:ldap_authz_authn] sh11980| MongoDB shell version v5.2.0-alpha-683-g49abfaf-patch-619c04589ccd4e13926f09c2
      [js_test:ldap_authz_authn] sh11980| connecting to: mongodb://EC2AMAZ-N4BVR59:20547/test?authMechanism=MONGODB-X509&authSource=%24external&compressors=disabled&gssapiServiceName=mongodb
      71 lines skipped.
      [js_test:ldap_authz_authn] sh11980| 2021-11-22T23:42:07.355Z W  NETWORK  4780400 [js] "OCSP responder was slow to respond","attr":{"durationMillis":6285}
      [js_test:ldap_authz_authn] sh11980| 2021-11-22T23:42:07.356Z W  NETWORK  23273   [js] "You have an IP Address in the DNS Name field on your certificate. This formulation is depreceated."
      [js_test:ldap_authz_authn] sh11980| 2021-11-22T23:42:07.356Z W  NETWORK  23276   [js] "The server certificate does not match the host name","attr":{"remoteHost":"EC2AMAZ-N4BVR59","certificateNames":"localhost 127.0.0.1 , Subject Name: CN=server,OU=Kernel,O=MongoDB,L=New York City,ST=New York,C=US"}
      [js_test:ldap_authz_authn] sh11980| Error: couldn't connect to server EC2AMAZ-N4BVR59:20547, connection attempt failed: NetworkTimeout: SSL handshake timed out after 7964 ms, started on 2021-11-22T23:41:59.392+00:00, completed on 2021-11-22T23:42:07.356+00:00, and was configured to time out after 5000 ms :
      [js_test:ldap_authz_authn] sh11980| connect@src/mongo/shell/mongo.js:384:17
      [js_test:ldap_authz_authn] sh11980| @(connect):3:6
      43 lines skipped.
      [js_test:ldap_authz_authn] sh11980| exception: connect failed
      [js_test:ldap_authz_authn] sh11980| exiting with code 1
      

      These large delays happen as we run the following Windows-specific code:
      https://github.com/mongodb/mongo/blob/0b5f8fbf748fa7c8da75bd64ac9ca4ed322de321/src/mongo/util/net/ssl_manager_windows.cpp#L1753-L1767

      That being said, this new timer feature is currently disabled on Windows. This ticket should investigate why creating a timer thread causes such long delays in running CertGetCertificateChain on Windows. After addressing the issue, we need a separate ticket to enable SERVER-54900 on Windows.

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            amirsaman.memaripour@mongodb.com Amirsaman Memaripour
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: