'Patch SSL Certificate handling in mongodump 4.2+ (go lang)

I wish to upgrade my Mongo database from version 4 to 5. I use ssl configuration with Mongo to ensure communication with the database is encrypted. To backup the database I use mongodump.

In Mongo 4.2 mongodump was rewritten in Go lang, causing it to import a common Go bug around ssl certificate handling. Specifically PEM files with intermediate certificates aren't fully loaded. The bug does not impact Mongo server or client itself, any version, or any other apps. Only mongodump is impacted.

The bug is described here: https://jira.mongodb.org/browse/TOOLS-2598

Since tool's SSL/TLS code is copied from Go driver, the current implementation only parses the last certificate inside the pem file

This is a discrepancy with Mongoshell behavior, which only loads the first certificate inside the pem file.

In this related exchange: https://jira.mongodb.org/browse/TOOLS-2996 I fail to see the resolution. I have tried every permutation of keys and certificates in the arguments passed to mongodump.

I've been looking at the source code for mongodump and specifically the SSL loading code.

To aid in go development, I've created this dockerfile to instantly provide a working environment for building this code but I am unfamiliar with go as a language.

FROM centos:8
RUN yum -y update
RUN yum -y install git-core vim-enhanced golang krb5-devel krb5-libs snappy
RUN groupadd -r app -g 1000 && \
    useradd -r -g app -u 1000 app -d /app && \
    mkdir -p /app && \
    chown -R app:app /app
USER 1000
WORKDIR /app
ENTRYPOINT /bin/bash

How plausible is it to fix these PEM loading bugs in this code base? My Mongo estate has many clients so rotating the certificates to solve this issue involves a high degree of planning and downtime. Patching mongodump to accept the existing certs feels like an acceptable medium term trade off.

Is anyone able to help me write the appropriate patch, perhaps there's standard ssl code that go developers use now? Does anyone have any ideas on how I can move this forward please? (Patches would be ideal!)

I apologise in advance that I have no reproducible test case here due to complexities of how the certificates I want to test were created.

mongodbgossl


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Secure cookies flag always getting lost in first session after resetting IIS

Solving sslv3 alert handshake failure when trying to use a client certificate

Nginx the event was not signaled for 5s

Getting error "403 - Forbidden: Access is denied" on browser when user is NOT administrator

Disable SSLHandshakeException for a single connection

How to fix ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1056)?

tls unsigned certificate when using terraform

Library not loaded: /opt/local/lib/libssl.1.0.0.dylib (LoadError)

SSL certificate error for IE users only

Mongodb SSL - unable to get issuer certificate

Where can I find the WAMP error log?

How to convert certificate from PEM to JKS?

CondaHTTPError: HTTP 000 CONNECTION FAILED for url - Anaconda

Getting Chrome to accept self-signed localhost certificate

"ssl module in Python is not available" when installing package with pip3