Priority: Major - P3
Affects Version/s: 2.4.0-rc0
Fix Version/s: 2.4.0-rc0
Steps To Reproduce:
Have not figured out how to reproduce it using the mongo shell as it presents the credentials correctly. I've added a link to the node.js test that should break but does not. Ping me if you need help setting it up.Have not figured out how to reproduce it using the mongo shell as it presents the credentials correctly. I've added a link to the node.js test that should break but does not. Ping me if you need help setting it up. https://github.com/mongodb/node-mongodb-native/blob/sslValidation/test/auxilliary/ssl/ssl_present_certificate_test.js#L41
Right now if you don't provide the --sslForceCertificateValidation flag the drivers can connect to the server without presenting a valid client certificate. This is a bad default as it can cause misconfiguration of the server making clients believe that they are validating certificates when in fact they are not unless they provide the --sslForceCertificateValidation flag.
I propose you get rid of the --sslForceCertificateValidation set validation as default if you provide a certificate store and add a new flag called
This makes the action of lowering the security level a user explicit decision and the default is the strongest possible validation.
The stuff under here is from when I discovered the behavior
Running the mongod instance with the following parameters
mongod --noprealloc --smallfiles --dbpath /Users/ck/coding/projects/node-mongodb-native/data/data-27017 --port 27017 --journal --sslOnNormalPorts --sslPEMKeyFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/server.pem --sslCAFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/ca.pem --sslCRLFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/crl.pem
When providing key and cert in node.js (as needed in node.js) the server responds with.
Thu Jan 17 15:48:29.545 [initandlisten] connection accepted from 127.0.0.1:59572 #2 (1 connection now open)
Thu Jan 17 15:48:29.555 [conn2] end connection 127.0.0.1:59572 (0 connections now open)
in log which is as expected but if I only provide the cert
Thu Jan 17 15:49:23.039 [initandlisten] connection accepted from 127.0.0.1:59573 #3 (1 connection now open)
Thu Jan 17 15:49:23.041 [conn3] no SSL certificate provided by peer
Thu Jan 17 15:49:23.048 [conn3] end connection 127.0.0.1:59573 (0 connections now open)
But socket stays open and operations are executed correctly against the db