Uploaded image for project: 'MongoDB ETL Tools'
  1. MongoDB ETL Tools
  2. TOOLS-1621

mongodump 3.4 attempts to validate the server's cert if the sslCAFile option is not used

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Works as Designed
    • Affects Version/s: 3.4.0
    • Fix Version/s: None
    • Component/s: mongodump
    • Labels:
      None

      Description

      It was noticed that mongodump that is shipped with MongoDB v3.4 (tested 3.4.0 and 3.4.2) attempts to validate the server's certificate if --sslCAFile option is not used:

      dmitry@mubuntu:/data$ ~/mongodump340 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
      2017-02-27T11:51:19.392+1100	Failed: error connecting to db server: no reachable servers, openssl error: SSL errors: SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      

      For comparison, mongodump that comes with MongoDB 3.2 works just fine:

      dmitry@mubuntu:/data$ ~/mongodump32 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
      2017-02-27T11:55:59.043+1100	writing admin.system.users to
      2017-02-27T11:55:59.045+1100	done dumping admin.system.users (3 documents)
      2017-02-27T11:55:59.047+1100	writing admin.system.roles to
      2017-02-27T11:55:59.049+1100	done dumping admin.system.roles (1 document)
      2017-02-27T11:55:59.049+1100	writing admin.system.version to
      2017-02-27T11:55:59.051+1100	done dumping admin.system.version (1 document)
      2017-02-27T11:55:59.053+1100	writing admin.reviews to
      2017-02-27T11:55:59.055+1100	writing test.t1 to
      2017-02-27T11:55:59.055+1100	writing admin.blog to
      2017-02-27T11:55:59.057+1100	done dumping admin.reviews (0 documents)
      2017-02-27T11:55:59.065+1100	done dumping test.t1 (1 document)
      2017-02-27T11:55:59.077+1100	done dumping admin.blog (0 documents)
      

      To clarify, the documentation for both MongoDB 3.2 and 3.4 does say that without --sslCAFile mongodump will not attempt to validate the server's certificate:

      WARNING
      For SSL connections (--ssl) to mongod and mongos, if the mongodump runs without the --sslCAFile, mongodump will not attempt to validate the server certificates.

      From that mongodump v3.4 does not behave correctly. Should this change in behaviour be expected, that needs to be reflected in the documentation. If that case please move the ticket into the DOCS project.

      The workaround is to either specify a proper CA file with -sslCAFile or disable certificate validation explicitly with -sslAllowInvalidCertificates.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                gabriel.russell Gabriel Russell
                Reporter:
                dmitry.ryabtsev Dmitry Ryabtsev
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: