Info

My company is doing some testing with the latest version of mongo to make sure everything works for us.  We have a mongo replica set setup that includes windows server nodes and redhat enterprise linux nodes.  The issue being encountered is that while the redhat nodes can successfully connect to the windows nodes, the inverse is not true. We are using mandatory TLS authentication in the mongo configurations, and inspecting the TLS handshake using wireshark, from what I can tell, no matter the cryptographic capabilities of the windows server in question, mongod will always use a sha1 signature algorithm for the client certificate verification part of the handshake.  Editing the windows registry to remove those signature algorithms from the windows cryptographic providers did not change anything.  The only way I could reconfigure the system to get this to work was to enable the sha1 algorithms on the redhat side (while keeping the sha1 algorithms enabled on the windows side).  This configuration is undesirable. I've also noticed this post about the driver: https://www.mongodb.com/community/forums/t/mongodb-c-c-driver-potential-authentication-issue-with-windows-native-tls/328866 Inspecting the code change for that fix: https://github.com/mongodb/mongo-c-driver/commit/912209d5dc985758bc3d70b105dc5166e3ded7c3#diff-b2a83f73a292a6b11ffd5ee3408235c7c6a3cb85e0c9dbf7028a735c45187261 It appears as though the issue was the manner in which windows APIs around schannel are being used is the problem.  Looking at the mongod code itself I believe this block of code is the problem: https://github.com/mongodb/mongo/blob/303c38d64a3b0ab743bdaea955874fc7fe601c9d/src/mongo/util/net/ssl_manager_windows.cpp#L1005 And indeed removing this code path when `isSSLServer` is true resolves the issue. Do note I believe this affects all currently supported versions of `mongod`, and based on the code probably also affects `mongos`.

Top User Comments

Steps to Reproduce

Have a 2 node replica set with mongod.  Have one of the replica set members on windows (both is fine, but at least one must be windows).  This replica set needs to have TLS enabled via the `net.tls` block, with `net.tls.mode` being `requireTLS`. Ensure the node the windows one is connecting to has the sha1 signature algorithms disabled. Verify that the replica set members cannot connect properly to each other. In the windows mongod log file, you will see a remark about "No Common Algorithm" during the replica set heartbeats.