Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-1621

mongodump 3.4 attempts to validate the server's cert if the sslCAFile option is not used

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major - P3
    • Resolution: Works as Designed
    • 3.4.0
    • None
    • mongodump
    • None

    Description

      It was noticed that mongodump that is shipped with MongoDB v3.4 (tested 3.4.0 and 3.4.2) attempts to validate the server's certificate if --sslCAFile option is not used:

      dmitry@mubuntu:/data$ ~/mongodump340 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
      		 
      2017-02-27T11:51:19.392+1100	Failed: error connecting to db server: no reachable servers, openssl error: SSL errors: SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

      For comparison, mongodump that comes with MongoDB 3.2 works just fine:

      dmitry@mubuntu:/data$ ~/mongodump32 --host testhost3 --port 27001 --ssl --sslPEMKeyFile testhost3/testhost3.pem -u admin -p 123 --authenticationDatabase=admin
      		 
      2017-02-27T11:55:59.043+1100	writing admin.system.users to
      		 
      2017-02-27T11:55:59.045+1100	done dumping admin.system.users (3 documents)
      		 
      2017-02-27T11:55:59.047+1100	writing admin.system.roles to
      		 
      2017-02-27T11:55:59.049+1100	done dumping admin.system.roles (1 document)
      		 
      2017-02-27T11:55:59.049+1100	writing admin.system.version to
      		 
      2017-02-27T11:55:59.051+1100	done dumping admin.system.version (1 document)
      		 
      2017-02-27T11:55:59.053+1100	writing admin.reviews to
      		 
      2017-02-27T11:55:59.055+1100	writing test.t1 to
      		 
      2017-02-27T11:55:59.055+1100	writing admin.blog to
      		 
      2017-02-27T11:55:59.057+1100	done dumping admin.reviews (0 documents)
      		 
      2017-02-27T11:55:59.065+1100	done dumping test.t1 (1 document)
      		 
      2017-02-27T11:55:59.077+1100	done dumping admin.blog (0 documents)

      To clarify, the documentation for both MongoDB 3.2 and 3.4 does say that without --sslCAFile mongodump will not attempt to validate the server's certificate:

      WARNING
      For SSL connections (--ssl) to mongod and mongos, if the mongodump runs without the --sslCAFile, mongodump will not attempt to validate the server certificates.

      From that mongodump v3.4 does not behave correctly. Should this change in behaviour be expected, that needs to be reflected in the documentation. If that case please move the ticket into the DOCS project.

      The workaround is to either specify a proper CA file with -sslCAFile or disable certificate validation explicitly with -sslAllowInvalidCertificates.

      Attachments

        Issue Links

          related to

          Improvement - An improvement or enhancement to an existing feature or task. DOCS-9985 update tools docs to reflect changes to --sslCAFile functionality

          • Major - P3 - Major loss of function.
          • Closed

          Activity

            People

              gabriel.russell@mongodb.com Gabriel Russell (Inactive)
              dmitry.ryabtsev@mongodb.com Dmitry Ryabtsev
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: