Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-2587

sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely

    XMLWordPrintable

    Details

    • Type: Task
    • Status: In Code Review
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: 100.2.0
    • Component/s: All Tools
    • Labels:
      None
    • Case:
    • Backport Requested:
      v4.2, v4.0, v3.6, v3.4, v3.2
    • Documentation Changes:
      Needed
    • Documentation Changes Summary:
      In all Mongo-tools doc, note that sslAllowInvalidHostnames and sslAllowInvalidCertificates are deprecated, and describe the problematic behavior in the ticket.

      Description

      From the doc, it shows: --sslAllowInvalidHostnames

      Disables the validation of the hostnames in TLS/SSL certificates. Allows mongodump to connect to MongoDB instances even if the hostname in their certificates do not match the specified hostname.

      However, in our implementation, it's treated the same as SSLAllowInvalidCert which bypasses the validation checks for server certificates and allows the use of invalid certificate. 

      https://github.com/mongodb/mongo-tools-common/blob/447a935858a70d71d22b02fa9ae67e19565d66c9/db/db.go#L459

      if opts.SSLAllowInvalidCert || opts.SSLAllowInvalidHost
      { tlsConfig.InsecureSkipVerify = true }

      This behavior would cause confusion to the user and also contradicts to the document. 

      I believe this problem exists in all the tools and mongomirror.

      After some research into the issue, I found there is no setting to ignore hostname validation in tlsConfig, thus it's not possible to fix this from the tools library. Mongo Go driver needs to introduce a new flag in ClientOptions. 

      Implementation can be referred to here https://github.com/golang/go/issues/21971

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              huan.li Huan Li
              Reporter:
              huan.li Huan Li
              Reviewers:
              Matthew Chiaravalloti, Ryan Chipman, Tim Fogarty
              Votes:
              1 Vote for this issue
              Watchers:
              11 Start watching this issue

                Dates

                Created:
                Updated: