[MongoDB C/C++ Driver] Potential Authentication Issue with Windows Native TLS

Product & Driver Announcements
1

Hi MongoDB C/C++ Driver Users,

This post is to inform the community of an authentication issue that may affect your MongoDB applications and provide you with immediate solutions.

Issue Summary

An issue has been discovered in the MongoDB C/C++ driver when built with Windows Secure Channel TLS support. The driver could fail to complete MONGODB-X509 authentication against servers that do not accept RSA+SHA1 client certificate signatures, causing connection establishment errors.

This error appears as:

Failed to initialize security context, error code: 0x80090331: The client and server cannot communicate, because they do not possess a common algorithm

Who is Affected?

This issue affects you if all of the following conditions apply to your setup:

  • You are running your application on Windows.
  • You are using the MongoDB C or C++ driver, with C driver version 2.0.2 or earlier.
  • You are using the MONGODB-X509 authentication mechanism.
  • Your driver is built with Windows native TLS (Secure Channel) - this is the default on Windows.
  • Your server running MongoDB has RSA+SHA1 signature algorithms disabled. This is a common default on servers using OpenSSL 3.

To find if your server may be affected, inspect the output of the TLS handshake:

% echo "" | openssl s_client -connect $MY_SERVER -port 27017 -tls1_2 2>&1 | grep "^Requested Signature Algorithms"

If the output does not include RSA+SHA1, you may be impacted by this bug.

Primary Solution: Upgrade Your Driver

We strongly recommend upgrading to the latest versions that resolve this issue:

  • C Driver: Upgrade to version 2.1.0 or later
  • C++ Driver: The C++ driver uses the C driver for authentication. Upgrade the C driver to version 2.1.0 or later.

Alternative Workaround

If immediate upgrading is not feasible, you can work around this issue by rebuilding the C driver with OpenSSL instead of Secure Channel, using the CMake option: -DENABLE_SSL=OPENSSL

Note: This requires obtaining and configuring OpenSSL separately.

Resources

Support

If you have any questions or need assistance with this issue, please don’t hesitate to contact our support team by creating a support case at the MongoDB Support Portal.

Rishabh Bisht
Product Manager, Developer Experience @ MongoDB

1 Like