Info

MongoDB version: mongodb-macos-x86_64-enterprise-4.1.7-40-gbfb0aec/bin/mongod --version db version v4.1.7-40-gbfb0aec git version: bfb0aec447f39633694dcc4418f2a5a5a167937e allocator: system modules: enterprise build environment: distarch: x86_64 target_arch: x86_64 Start mongod with the attached certificates ( server.pem, ca.pem): $ mongodb-macos-x86_64-enterprise-4.1.7-40-gbfb0aec/bin/mongod -v --sslOnNormalPorts --sslWeakCertificateValidation --sslCAFile=ca.pem --sslPEMKeyFile=server.pem --dbpath tmp-data Attempt to connect with the mongo shell (or any driver) with client.pem: $ mongo --ssl --sslAllowInvalidCertificates --sslPEMKeyFile=client.pem MongoDB shell version v4.0.1 connecting to: mongodb://127.0.0.1:27017 2019-01-18T16:25:57.426-0800 W NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED 2019-01-18T16:25:57.426-0800 E QUERY [js] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:27017' : connect@src/mongo/shell/mongo.js:257:13 @(connect):1:6 exception: connect failed The server logs the following error: 2019-01-18T16:25:57.387-0800 I NETWORK [listener] connection accepted from 127.0.0.1:55477 #2 (1 connection now open) 2019-01-18T16:25:57.420-0800 D - [conn2] User Assertion: UnsupportedFormat: Invalid IP address in CIDR string src/mongo/util/net/cidr.cpp 117 2019-01-18T16:25:57.423-0800 D - [conn2] User Assertion: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING src/mongo/util/icu.cpp 85 2019-01-18T16:25:57.423-0800 D - [conn2] User Assertion: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING src/mongo/transport/session_asio.h 633 2019-01-18T16:25:57.423-0800 I NETWORK [conn2] Error receiving request from client: Location50687: Error preflighting UTF-8 conversion: U_STRING_NOT_TERMINATED_WARNING. Ending connection from 127.0.0.1:55477 (connection id: 2) 2019-01-18T16:25:57.423-0800 I NETWORK [conn2] end connection 127.0.0.1:55477 (0 connections now open) These certificates work without a problem on MongoDB 2.6-4.0 so I think there has been a regression somewhere. Also worth noting is that this failure happens on all platforms, not just macOS. This issue is currently blocking drivers from testing against the latest version of the server.

Top User Comments

xgen-internal-githook commented on Wed, 30 Jan 2019 19:57:23 +0000: Author: {'username': 'jbreams', 'email': 'jbreams@mongodb.com', 'name': 'Jonathan Reams'} Message: SERVER-39107 Allow empty components in certificate DNs Branch: master https://github.com/mongodb/mongo/commit/ac3f2f46c776d844e44d2cd31629ebc1eacf1638 jonathan.reams@10gen.com commented on Tue, 29 Jan 2019 17:40:02 +0000: shane.harvey, the client.pem certificate has an invalid subject name: 184:d=2 hl=2 l= 100 cons: SEQUENCE 186:d=3 hl=2 l= 15 cons: SET 188:d=4 hl=2 l= 13 cons: SEQUENCE 190:d=5 hl=2 l= 3 prim: OBJECT :commonName 195:d=5 hl=2 l= 6 prim: PRINTABLESTRING :client 203:d=3 hl=2 l= 16 cons: SET 205:d=4 hl=2 l= 14 cons: SEQUENCE 207:d=5 hl=2 l= 3 prim: OBJECT :organizationalUnitName 212:d=5 hl=2 l= 7 prim: PRINTABLESTRING :Drivers 221:d=3 hl=2 l= 9 cons: SET 223:d=4 hl=2 l= 7 cons: SEQUENCE 225:d=5 hl=2 l= 3 prim: OBJECT :organizationName 230:d=5 hl=2 l= 0 prim: PRINTABLESTRING : 232:d=3 hl=2 l= 18 cons: SET 234:d=4 hl=2 l= 16 cons: SEQUENCE 236:d=5 hl=2 l= 3 prim: OBJECT :localityName 241:d=5 hl=2 l= 9 prim: PRINTABLESTRING :Palo Alto 252:d=3 hl=2 l= 19 cons: SET 254:d=4 hl=2 l= 17 cons: SEQUENCE 256:d=5 hl=2 l= 3 prim: OBJECT :stateOrProvinceName 261:d=5 hl=2 l= 10 prim: PRINTABLESTRING :California 273:d=3 hl=2 l= 11 cons: SET 275:d=4 hl=2 l= 9 cons: SEQUENCE 277:d=5 hl=2 l= 3 prim: OBJECT :countryName 282:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US The O component is empty, and RFC 5280 specifies that components must be at least one code point long. However, since we supported this before 4.2, I will add an exception in our certificate normalization/validation code.

Steps to Reproduce