0

I'm using MongoDB 2.6.3 with SSL connection.
I am not using client validation, and the SSL configuration is only:

sslMode = requireSSL
sslPEMKeyFile = /path/to/MyServerCertificate.pem

The certificate I'm using is signed, and issued to my server by CA which have root CA like so:
RootCA ---> SignerCA ---> MyServerCertificate

The problem is: I'm trying to connect via java by specifying trust store with only the SignerCA, and everything works fine. But when I'm specifying trust store with only the RootCA, I get:

com.mongodb.MongoServerSelectionException: Unabe to connect to any server

In the mongo log I can see:

ERROR: SSL: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown

My java code:

Builder options = MongoClientOptions.builder();

KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("path/to/keystore"), "pass".toCharArray());

TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(ks);

SSLContext sc = SSLContext.getInstance("TLS");
sc.init(null, trustFactory.getTrustManagers(), null);

options.socketFactory(sc.getSocketFactory());
new MongoClient("loclahost", options.build());

When the keystore I'm using contain only RootCA I'm unable to connect for some reason...
I will be happy for suggestions. Thanks.

matanper
  • 881
  • 8
  • 24
  • Can you provide the MongoDB server startup parameters you are using-- for example, did you provide a SSLCAFile in your server configuration? (The client is validating the server but not vice versa: just making sure that's the behavior you intend.) Further, did you load both the Root CA file and the Signer CA into your keystore? (I'm not familiar with Java's TrustManager API, but I'm concerned that it doesn't know the link between Signer CA and Root CA.) Is Root CA a KeyStore.TrustedCertificateEntry? Additionally, just to clarify, is "loclahost" a typo on this post or also in your code? – Amalia Jan 09 '15 at 19:17
  • Thanks for the comment. As you can see in the beginning of the post, this is the configuration, without CA file, because I want only client validation, and not server validation. localhost is typo, I'm using RHLE 6.2 for my mongo remote servers. If I have the signer CA in the keystore, the connection is established fine, and If I add to the same keystore the Root CA it is still working (It has no affect). The problem is when the keystore contains only the Root CA. If the TrustManager doesn't know to make the link, is'n't it against the principles of certificates? – matanper Jan 10 '15 at 19:36

1 Answers1

1

The issue you're seeing is because there is no way for the TrustManager to make the link between your certificate, the Signer CA and the Root CA. Since your certificate only contains reference to the Signer CA, as far as the TrustManager is concerned there is no link between the certificate and the Root CA. You need to provide the Signer CA to show that the link exists to a trusted authority.

To use a personified example, let's pretend Alice is looking for a job at Security Corp. Alice has a recommendation (signed cert) by Bob, who in turn is recommended (signed) by Charlie. If Security Corp only has access to Bob's recommendation (signature) of Alice, and Security Corp trusts Charlie but doesn't know who Bob is, they have no reason to trust Alice. Security Corp needs access to Charlie's recommendation of Bob, so that it can trust Bob's recommendation of Alice.

I hope that makes sense!

Amalia
  • 896
  • 7
  • 18