Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8662

SSL password obfuscation indicates password length

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Won't Fix
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: Security
    • ALL
    • Hide

      openssl req -new -x509 -days 365 -nodes -out mongodb-cert.pem -passout pass:foo -keyout mongodb-cert.key

      $ ps | grep mongo
      21132 0.9 0.9 4461600 38468 s002 S+ 4:17PM 0:00.16 /Users/breinero/git/mongo/mongod --sslOnNormalPorts --sslPEMKeyFile /Users/breinero/qatest/mongo.pem --sslPEMKeyPassword xxx

      Show
      openssl req -new -x509 -days 365 -nodes -out mongodb-cert.pem -passout pass:foo -keyout mongodb-cert.key $ ps | grep mongo 21132 0.9 0.9 4461600 38468 s002 S+ 4:17PM 0:00.16 /Users/breinero/git/mongo/mongod --sslOnNormalPorts --sslPEMKeyFile /Users/breinero/qatest/mongo.pem --sslPEMKeyPassword xxx

      Mongod obfuscates the command line so that the ssl key password is overwritten with 'x's but the number of 'x's indicate the length of the password. A single 'x' would be preferable regardless of actual password length.

            Assignee:
            Unassigned Unassigned
            Reporter:
            bryan.reinero Bryan Reinero
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: