Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-1621

mongodump 3.4 attempts to validate the server's cert if the sslCAFile option is not used



    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Works as Designed
    • 3.4.0
    • None
    • mongodump
    • None


      It was noticed that mongodump that is shipped with MongoDB v3.4 (tested 3.4.0 and 3.4.2) attempts to validate the server's certificate if --sslCAFile option is not used:

      dmitry@mubuntu:/data$ ~/mongodump340 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
      2017-02-27T11:51:19.392+1100	Failed: error connecting to db server: no reachable servers, openssl error: SSL errors: SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

      For comparison, mongodump that comes with MongoDB 3.2 works just fine:

      dmitry@mubuntu:/data$ ~/mongodump32 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
      2017-02-27T11:55:59.043+1100	writing admin.system.users to
      2017-02-27T11:55:59.045+1100	done dumping admin.system.users (3 documents)
      2017-02-27T11:55:59.047+1100	writing admin.system.roles to
      2017-02-27T11:55:59.049+1100	done dumping admin.system.roles (1 document)
      2017-02-27T11:55:59.049+1100	writing admin.system.version to
      2017-02-27T11:55:59.051+1100	done dumping admin.system.version (1 document)
      2017-02-27T11:55:59.053+1100	writing admin.reviews to
      2017-02-27T11:55:59.055+1100	writing test.t1 to
      2017-02-27T11:55:59.055+1100	writing admin.blog to
      2017-02-27T11:55:59.057+1100	done dumping admin.reviews (0 documents)
      2017-02-27T11:55:59.065+1100	done dumping test.t1 (1 document)
      2017-02-27T11:55:59.077+1100	done dumping admin.blog (0 documents)

      To clarify, the documentation for both MongoDB 3.2 and 3.4 does say that without --sslCAFile mongodump will not attempt to validate the server's certificate:

      For SSL connections (--ssl) to mongod and mongos, if the mongodump runs without the --sslCAFile, mongodump will not attempt to validate the server certificates.

      From that mongodump v3.4 does not behave correctly. Should this change in behaviour be expected, that needs to be reflected in the documentation. If that case please move the ticket into the DOCS project.

      The workaround is to either specify a proper CA file with -sslCAFile or disable certificate validation explicitly with -sslAllowInvalidCertificates.


        Issue Links



              gabriel.russell@mongodb.com Gabriel Russell (Inactive)
              dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
              0 Vote for this issue
              3 Start watching this issue