X.509 authentication

[Joannis]

As requested by @mark-crawford .

---

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.

[Joannis]

@mark-crawford I cannot finish this feature for now. MongoDB has an undocumented scenario I cannot avoid running into. Reaching their support team is impossible without paying for it.

[mark-crawford]

Is it possible to describe the scenario you are running up against?

[Joannis]

I manage to connect using SSL providing the certificate as being mine. My connection is accepted but unauthorized.

{
"authenticate": 1,
  "mechanism": "MONGODB-X509",
  "user": "...."
}

When I send the above message to the server I get the following message: "SSL support is required for the MONGODB-X509 mechanism."

There is no further information available about this error.

[mark-crawford]

Are you using the Community Edition or Enterprise Edition of MongoDB? If you are using the Community Edition, you may have to recompile it to include TLS/SSL support.

This information is a bit dated, but may still apply: http://www.allanbank.com/blog/security/tls/x.509/2014/10/13/tls-x509-and-mongodb/

[Joannis]

I'm using the community edition with SSL. But I'm finding the same issues on IBM Bluemix

[Joannis]

@mark-crawford Do you happen to have a MongoDB instance that I can test X.509 against?

[mark-crawford]

I have a Mongo CE instance, if that helps. I have a Mongo EE instance, but I am using this in a project that is under a fairly tight timeline and will not be able to get the DBAs to reconfigure it for x.509 authentication for a few weeks (sorry).

[Joannis]

Anything works. I need an instance that is verified by someone else to work.

EDIT: It does require to have X.509 authentication set up, of course.

[mark-crawford]

Sure, I can help. Just having a difficult time configuring my CE instance for X.509 during my off-time. It may take a bit to accomplish this.

[Joannis]

No worries :) Let me know when you've got something working.

[mark-crawford]

I may be able to set it up quicker if I knew exactly what steps to follow to configure it. Do you have a procedure I can follow to configure it?

[Joannis]

Sure: https://docs.mongodb.com/v3.0/tutorial/configure-x509-client-authentication/

[mark-crawford]

I haven't forgotten about this, I just haven't had time to do it. Hopefully, I will get some time this weekend or next week. I will comment when I have performed the verification.

[tfrank64]

@Joannis Is there any update on this?

I have run into the same issue I believe using MongoKitten 4.0.11. I have a PEM certificate that works well on Linux when using the following init:
SSLSettings(enabled: true, invalidHostNameAllowed: true, invalidCertificateAllowed: true, CAFilePath: "/tmp/mycert.pem")

On macOS though, I get "cannot connect" errors, even when I convert that PEM file to a .der file.
When using the DER file, it fails on this method SSLSetCertificateAuthorities here.

Is this being worked on or are their plans to add support for X.509 certificates in the near future?

[Joannis]

The plans are there, but I don't have a test setup yet for this

[Joannis]

I also had to implement X.509 with a bit of luck. I implemented it using an example for OpenSSL which seemed to work from the get-go. macOS' Security Framework didn't have clear examples and I had to find something from the little docs there were. If you at IBM have a test server that I could use for this feature (and maybe some knowledge surrounding X.509 and macOS Security) that's be a great help.