Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-85910

Setting allowConnectionsWithoutCertificates is ignored

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 7.0.5
    • Component/s: None
    • Labels:
    • ALL
    • Security 2024-02-05, Security 2024-02-19

      I have setup a stand-alone mongod like this:

       

      net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: mongo.server.pem
    CAFile: mongo-ca.cer
    allowConnectionsWithoutCertificates: false
    allowInvalidCertificates: false

security:
  authorization: enabled

       

      Documentation says:

      • For clients that don't provide certificates, mongod or mongos encrypts the TLS/SSL connection, assuming the connection is successfully made.
      • For clients that present a certificate, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.

       

      However, the behavior is different.

      If I don't provide a client certificate, then the connection is rejected (instead of encrypts the TLS/SSL connection, assuming the connection is successfully made):

      mongosh "mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer"
Current Mongosh Log ID: 65b8afb4924b39f4ec3b77f5
Connecting to:          mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
MongoServerSelectionError: connection <monitor> to 127.0.0.1:27017 closed

      If I provide an invalid client certificate, then the connection is successful (instead of reject clients):

      openssl verify -CAfile mongo-ca.cer mongo.client-bad.pem
CN = admin
error 20 at 0 depth lookup: unable to get local issuer certificate
error mongo.client-bad.pem: verification failed


mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer"
Current Mongosh Log ID: 65b8b0987645903dc9cc5ecd
Connecting to:          mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
Using MongoDB:          7.0.5
Using Mongosh:          2.1.1

test> db.getMongo()
mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1

      If the client provides a valid certificate, then of course everything is working fine and as expected:

      openssl verify -CAfile mongo-ca.cer mongo.client.pem
mongo.client.pem: OK

openssl verify -CAfile mongo-ca.cer mongo.server.pem
mongo.server.pem: OK


mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer"
Current Mongosh Log ID: 65b8b213027a4c163908974c
Connecting to:          mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
Using MongoDB:          7.0.5
Using Mongosh:          2.1.1

test> db.getMongo()
mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1

      Tested in Windows 10 environment.

       

       

       

       

        1. mongo.client.pem
          5 kB
        2. mongo.client-bad.pem
          5 kB
        3. mongo.server.pem
          5 kB
        4. mongo-ca.cer
          4 kB

            Assignee:
            brad.moore@mongodb.com Brad Moore
            Reporter:
            wernfried.domscheit@sunrise.net Wernfried Domscheit
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: