Details
Description
I have setup a stand-alone mongod like this:
net:
|
port: 27017 |
bindIpAll: true |
tls:
|
mode: requireTLS
|
certificateKeyFile: mongo.server.pem
|
CAFile: mongo-ca.cer
|
allowConnectionsWithoutCertificates: false |
allowInvalidCertificates: false |
|
|
security:
|
authorization: enabled
|
Documentation says:
- For clients that don't provide certificates, mongod or mongos encrypts the TLS/SSL connection, assuming the connection is successfully made.
- For clients that present a certificate, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.
However, the behavior is different.
If I don't provide a client certificate, then the connection is rejected (instead of encrypts the TLS/SSL connection, assuming the connection is successfully made):
mongosh "mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer" |
Current Mongosh Log ID: 65b8afb4924b39f4ec3b77f5
|
Connecting to: mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 |
MongoServerSelectionError: connection <monitor> to 127.0.0.1:27017 closed |
If I provide an invalid client certificate, then the connection is successful (instead of reject clients):
openssl verify -CAfile mongo-ca.cer mongo.client-bad.pem
|
CN = admin
|
error 20 at 0 depth lookup: unable to get local issuer certificate |
error mongo.client-bad.pem: verification failed
|
|
|
|
|
mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer" |
Current Mongosh Log ID: 65b8b0987645903dc9cc5ecd
|
Connecting to: mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 |
Using MongoDB: 7.0.5 |
Using Mongosh: 2.1.1 |
|
|
test> db.getMongo()
|
mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 |
|
If the client provides a valid certificate, then of course everything is working fine and as expected:
openssl verify -CAfile mongo-ca.cer mongo.client.pem
|
mongo.client.pem: OK
|
|
|
openssl verify -CAfile mongo-ca.cer mongo.server.pem
|
mongo.server.pem: OK
|
|
|
|
|
mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer" |
Current Mongosh Log ID: 65b8b213027a4c163908974c
|
Connecting to: mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 |
Using MongoDB: 7.0.5 |
Using Mongosh: 2.1.1 |
|
|
test> db.getMongo()
|
mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 |
Tested in Windows 10 environment.
Attachments
Issue Links
- related to
-
DOCS-16619 [Server] Clarify scope of parameters allowInvalidCertificates and allowInvalidHostnames
-
- Closed
-