Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-8708

mongod shouldn't start with a revoked cert where crl specifed

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor - P4
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: Backlog
    • Component/s: Security
    • Labels:
      None
    • Sprint:
      Security 2020-04-20, Security 2020-05-04

      Description

      Start mongod with ssl, crl file and revoked cert. Shouldn't start.

      ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongod --dbpath ./data/ --sslOnNormalPorts --sslPEMKeyFile ../sslCA/revoked_gregor.pem  --replSet rs1 --smallfiles --sslCRLFile=../sslCA/crl/crl.pem 
      Mon Feb 25 15:16:53.215 [initandlisten] MongoDB starting : pid=8961 port=27017 dbpath=./data/ 64-bit host=ip-10-36-133-56
      Mon Feb 25 15:16:53.216 [initandlisten] db version v2.4.0-rc0, pdfile version 4.5
      Mon Feb 25 15:16:53.216 [initandlisten] git version: 09967e98e5d6280305d85553cdb2dd12e2e1e149 modules: subscription
      Mon Feb 25 15:16:53.216 [initandlisten] build info: Linux bs-e-ubuntu1104 2.6.38-13-virtual #57-Ubuntu SMP Mon Mar 5 21:16:08 UTC 2012 x86_64 BOOST_LIB_VERSION=1_49
      Mon Feb 25 15:16:53.216 [initandlisten] allocator: tcmalloc
      Mon Feb 25 15:16:53.216 [initandlisten] options: { dbpath: "./data/", replSet: "rs1", smallfiles: true, sslCRLFile: "../sslCA/crl/crl.pem", sslOnNormalPorts: true, sslPEMKeyFile: "../sslCA/revoked_gregor.pem" }
      Mon Feb 25 15:16:53.225 [initandlisten] journal dir=./data/journal
      Mon Feb 25 15:16:53.225 [initandlisten] recover : no journal files present, no recovery needed
      Mon Feb 25 15:16:53.240 [initandlisten] ssl imported 1 revoked certificate from the revocation list.
      Mon Feb 25 15:16:53.241 [initandlisten] waiting for connections on port 27017 ssl
      Mon Feb 25 15:16:53.242 [websvr] ssl imported 1 revoked certificate from the revocation list.
      Mon Feb 25 15:16:53.242 [websvr] admin web console waiting for connections on port 28017 ssl
      Mon Feb 25 15:16:53.245 [rsStart] replSet I am ip-10-36-133-56:27017
      Mon Feb 25 15:16:53.245 [rsStart] replSet STARTUP2
      Mon Feb 25 15:16:54.247 [rsSync] replSet SECONDARY
      Mon Feb 25 15:16:54.247 [rsMgr] replSet info electSelf 0
      Mon Feb 25 15:16:55.246 [rsMgr] replSet PRIMARY
      Mon Feb 25 15:17:35.210 [initandlisten] connection accepted from 127.0.0.1:54958 #1 (1 connection now open)
      

        Attachments

        1. crl.pem
          0.5 kB
        2. revoked_gregor.pem
          4 kB

          Issue Links

            Activity

              People

              Assignee:
              backlog-server-security Backlog - Security Team
              Reporter:
              gregor Gregor Macadam
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: