Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Minor - P4
Fix Version/s: 2.5.5
Affects Version/s: None
Component/s: Security
Labels:
- 26qa

Operating System:
ALL
Steps To Reproduce:
Hide

1. Start up mongod like this:

mongod --sslMode sslOnly --sslPEMKeyFile jstests/libs/client_revoked.pem --sslCAFile jstests/libs/ca.pem

2. You cannot connect with mongo if you use sslCAFile:

mongo --ssl --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl_client_revoked.pem 2013-10-17T18:33:31.970+0000 ssl imported 1 revoked certificate from the revocation list. MongoDB shell version: 2.5.3-pre- connecting to: 127.0.0.1:20000/test 2013-10-17T18:33:32.000+0000 ERROR: SSL peer certificate validation failed:certificate revoked 2013-10-17T18:33:32.001+0000 Error: socket exception [CONNECT_ERROR] for at src/mongo/shell/mongo.js:148 exception: connect failed

3. If you don't specify sslCAFile, you can connect:

mongo --ssl --sslCRLFile jstests/libs/crl_client_revoked.pem --sslPEMKeyFile jstests/libs/server.pem 2013-10-17T18:34:09.707+0000 ssl imported 1 revoked certificate from the revocation list. MongoDB shell version: 2.5.3-pre- connecting to: 127.0.0.1:20000/test Server has startup warnings: 2013-10-17T18:33:21.151+0000 [initandlisten] 2013-10-17T18:33:21.151+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB. 2013-10-17T18:33:21.151+0000 [initandlisten] ** Not recommended for production. 2013-10-17T18:33:21.151+0000 [initandlisten] 2013-10-17T18:33:21.151+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000 2013-10-17T18:33:21.151+0000 [initandlisten] >
Show
1. Start up mongod like this: mongod --sslMode sslOnly --sslPEMKeyFile jstests/libs/client_revoked.pem --sslCAFile jstests/libs/ca.pem 2. You cannot connect with mongo if you use sslCAFile: mongo --ssl --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl_client_revoked.pem 2013-10-17T18:33:31.970+0000 ssl imported 1 revoked certificate from the revocation list. MongoDB shell version: 2.5.3-pre- connecting to: 127.0.0.1:20000/test 2013-10-17T18:33:32.000+0000 ERROR: SSL peer certificate validation failed:certificate revoked 2013-10-17T18:33:32.001+0000 Error: socket exception [CONNECT_ERROR] for at src/mongo/shell/mongo.js:148 exception: connect failed 3. If you don't specify sslCAFile, you can connect: mongo --ssl --sslCRLFile jstests/libs/crl_client_revoked.pem --sslPEMKeyFile jstests/libs/server.pem 2013-10-17T18:34:09.707+0000 ssl imported 1 revoked certificate from the revocation list. MongoDB shell version: 2.5.3-pre- connecting to: 127.0.0.1:20000/test Server has startup warnings: 2013-10-17T18:33:21.151+0000 [initandlisten] 2013-10-17T18:33:21.151+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB. 2013-10-17T18:33:21.151+0000 [initandlisten] ** Not recommended for production. 2013-10-17T18:33:21.151+0000 [initandlisten] 2013-10-17T18:33:21.151+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000 2013-10-17T18:33:21.151+0000 [initandlisten] >
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

It is possible to connect to a mongod (and probably mongos) whose sslPEMKeyFile is in the client's CRL if the client doesn't specify sslCAFile. I would expect that the client not be able to connect, and a message would be displayed similar to the one that displays if you do specify sslCAFile. Interestingly, if you try to do this in reverse (don't specify sslCAFile on the server but give it a CRL), mongod displays:

Error storing command line: BadValue need sslCAFile with sslCRLFile

This behavior should be part of client programs, too.

Assignee:: Shaun Verch (Inactive)

Reporter:: Luke Lovett (Inactive)

Participants:: Eric Milkie, Githook User, Luke Lovett, Shaun Verch

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: Oct 17 2013 06:38:30 PM UTC

Updated:: Jul 11 2016 05:38:38 PM UTC

Resolved:: Nov 19 2013 03:43:02 PM UTC

Details

Description

Attachments

Activity

People

Dates