Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11246

C++ driver allows CRLFile to be set without CAFile

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.5.5
    • Component/s: Security
    • Labels:
    • Operating System:
      ALL
    • Steps To Reproduce:
      Hide

      1. Start up mongod like this:

      mongod --sslMode sslOnly --sslPEMKeyFile jstests/libs/client_revoked.pem --sslCAFile jstests/libs/ca.pem

      2. You cannot connect with mongo if you use sslCAFile:

      mongo --ssl --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl_client_revoked.pem
      2013-10-17T18:33:31.970+0000 ssl imported 1 revoked certificate from the revocation list.
      MongoDB shell version: 2.5.3-pre-
      connecting to: 127.0.0.1:20000/test
      2013-10-17T18:33:32.000+0000 ERROR: SSL peer certificate validation failed:certificate revoked
      2013-10-17T18:33:32.001+0000 Error: socket exception [CONNECT_ERROR] for  at src/mongo/shell/mongo.js:148
      exception: connect failed

      3. If you don't specify sslCAFile, you can connect:

      mongo --ssl --sslCRLFile jstests/libs/crl_client_revoked.pem --sslPEMKeyFile jstests/libs/server.pem
      2013-10-17T18:34:09.707+0000 ssl imported 1 revoked certificate from the revocation list.
      MongoDB shell version: 2.5.3-pre-
      connecting to: 127.0.0.1:20000/test
      Server has startup warnings:
      2013-10-17T18:33:21.151+0000 [initandlisten]
      2013-10-17T18:33:21.151+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
      2013-10-17T18:33:21.151+0000 [initandlisten] **       Not recommended for production.
      2013-10-17T18:33:21.151+0000 [initandlisten]
      2013-10-17T18:33:21.151+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000
      2013-10-17T18:33:21.151+0000 [initandlisten]
      >

      Show
      1. Start up mongod like this: mongod --sslMode sslOnly --sslPEMKeyFile jstests/libs/client_revoked.pem --sslCAFile jstests/libs/ca.pem 2. You cannot connect with mongo if you use sslCAFile: mongo --ssl --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl_client_revoked.pem 2013-10-17T18:33:31.970+0000 ssl imported 1 revoked certificate from the revocation list. MongoDB shell version: 2.5.3-pre- connecting to: 127.0.0.1:20000/test 2013-10-17T18:33:32.000+0000 ERROR: SSL peer certificate validation failed:certificate revoked 2013-10-17T18:33:32.001+0000 Error: socket exception [CONNECT_ERROR] for at src/mongo/shell/mongo.js:148 exception: connect failed 3. If you don't specify sslCAFile, you can connect: mongo --ssl --sslCRLFile jstests/libs/crl_client_revoked.pem --sslPEMKeyFile jstests/libs/server.pem 2013-10-17T18:34:09.707+0000 ssl imported 1 revoked certificate from the revocation list. MongoDB shell version: 2.5.3-pre- connecting to: 127.0.0.1:20000/test Server has startup warnings: 2013-10-17T18:33:21.151+0000 [initandlisten] 2013-10-17T18:33:21.151+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB. 2013-10-17T18:33:21.151+0000 [initandlisten] ** Not recommended for production. 2013-10-17T18:33:21.151+0000 [initandlisten] 2013-10-17T18:33:21.151+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000 2013-10-17T18:33:21.151+0000 [initandlisten] >

      Description

      It is possible to connect to a mongod (and probably mongos) whose sslPEMKeyFile is in the client's CRL if the client doesn't specify sslCAFile. I would expect that the client not be able to connect, and a message would be displayed similar to the one that displays if you do specify sslCAFile. Interestingly, if you try to do this in reverse (don't specify sslCAFile on the server but give it a CRL), mongod displays:

      Error storing command line: BadValue need sslCAFile with sslCRLFile

      This behavior should be part of client programs, too.

        Attachments

          Activity

            People

            Assignee:
            sverch Shaun Verch
            Reporter:
            luke.lovett Luke Lovett
            Participants:
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: