Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-1621

mongodump 3.4 attempts to validate the server's cert if the sslCAFile option is not used

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 3.4.0
    • Component/s: mongodump
    • Labels:
      None

      It was noticed that mongodump that is shipped with MongoDB v3.4 (tested 3.4.0 and 3.4.2) attempts to validate the server's certificate if --sslCAFile option is not used:

      dmitry@mubuntu:/data$ ~/mongodump340 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
2017-02-27T11:51:19.392+1100	Failed: error connecting to db server: no reachable servers, openssl error: SSL errors: SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

      For comparison, mongodump that comes with MongoDB 3.2 works just fine:

      dmitry@mubuntu:/data$ ~/mongodump32 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
2017-02-27T11:55:59.043+1100	writing admin.system.users to
2017-02-27T11:55:59.045+1100	done dumping admin.system.users (3 documents)
2017-02-27T11:55:59.047+1100	writing admin.system.roles to
2017-02-27T11:55:59.049+1100	done dumping admin.system.roles (1 document)
2017-02-27T11:55:59.049+1100	writing admin.system.version to
2017-02-27T11:55:59.051+1100	done dumping admin.system.version (1 document)
2017-02-27T11:55:59.053+1100	writing admin.reviews to
2017-02-27T11:55:59.055+1100	writing test.t1 to
2017-02-27T11:55:59.055+1100	writing admin.blog to
2017-02-27T11:55:59.057+1100	done dumping admin.reviews (0 documents)
2017-02-27T11:55:59.065+1100	done dumping test.t1 (1 document)
2017-02-27T11:55:59.077+1100	done dumping admin.blog (0 documents)

      To clarify, the documentation for both MongoDB 3.2 and 3.4 does say that without --sslCAFile mongodump will not attempt to validate the server's certificate:

      WARNING
      For SSL connections (--ssl) to mongod and mongos, if the mongodump runs without the --sslCAFile, mongodump will not attempt to validate the server certificates.

      From that mongodump v3.4 does not behave correctly. Should this change in behaviour be expected, that needs to be reflected in the documentation. If that case please move the ticket into the DOCS project.

      The workaround is to either specify a proper CA file with -sslCAFile or disable certificate validation explicitly with -sslAllowInvalidCertificates.

            Assignee:
            gabriel.russell@mongodb.com Gabriel Russell (Inactive)
            Reporter:
            dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: