[SERVER-11107] By default, mongod should not start with an expired or invalid server certificate Created: 09/Oct/13 Updated: 27/Oct/15 Resolved: 17/Jul/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.7.4 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Luke Lovett | Assignee: | Melissa O'Sullivan |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
|||||||||||||||||||||||||||||||||||||||||||
| Issue Links: |
|
|||||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | |||||||||||||||||||||||||||||||||||||||||||
| Operating System: | ALL | |||||||||||||||||||||||||||||||||||||||||||
| Steps To Reproduce: | I started mongod like this:
and connect to it with a mongo shell (there are no startup warnings specifically about the expired certificate):
This is the log output from mongod during the process:
Commands I used to create the certificates:
|
|||||||||||||||||||||||||||||||||||||||||||
| Participants: | ||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
MongoDB servers should refuse to start when launched with an expired SSL certificate. Further, there should be a command line option to override this behavior, which should simply put a warning in the startup log. |
| Comments |
| Comment by Andreas Nilsson [ 21/Oct/14 ] |
|
kmaley@paypal.com please file a ticket in the Commercial Support project or the MongoDB user group https://groups.google.com/forum/#!forum/mongodb-user Regards, |
| Comment by Kishore Maley [ 21/Oct/14 ] |
|
can somebody tell me how to generate the cacert from the pfx file? |
| Comment by Githook User [ 08/Aug/14 ] |
|
Author: {u'username': u'melissaosullivan', u'name': u'melissaosullivan', u'email': u'melissakellyosullivan@gmail.com'}Message: Closes #734 Signed-off-by: Benety Goh <benety@mongodb.com> |
| Comment by Melissa O'Sullivan [ 17/Jul/14 ] |
|
A mongod with SSL will no longer start with an X.509 ticket that is expired or not yet valid. Also log messages warn if the certificate will expire in the next 30 days. |
| Comment by Githook User [ 17/Jul/14 ] |
|
Author: {u'username': u'melissaosullivan', u'name': u'melissaosullivan', u'email': u'melissakellyosullivan@gmail.com'}Message: Closes #712 |
| Comment by Andreas Nilsson [ 21/Oct/13 ] |
|
milkie is right, verifying a random certificate using OpenSSL is a pretty messy business. Lots of undocumented API calls happening, essentially we need to mimic what OpenSSL does internally. This piece of code allegedly does this but it's pretty complex for the actual task. Is it worth it? |
| Comment by Andy Schwerin [ 15/Oct/13 ] |
|
andreas.nilsson@10gen.com, yes, I do. Organizations screw up, and fail to get new certs issued in time for cutover. If it weren't for the huge number of options, I'd actually let the drivers be configured to accept expired certs from matching host names, for those situations, rather than just ignoring validity. |
| Comment by Andreas Nilsson [ 15/Oct/13 ] |
|
schwerin do we really want to add a flag to allow this behavior? |
| Comment by Andreas Nilsson [ 15/Oct/13 ] |
|
Chopping it up into different tickets sounds reasonable. This somewhat related to performing hostname validation of the server cert. Maybe we should ha ve a general for performing server-cert validation. https://jira.mongodb.org/browse/SERVER-10330 |
| Comment by Andy Schwerin [ 15/Oct/13 ] |
|
OK, I think there might be a couple of work items, here:
andreas.nilsson@10gen.com, if you agree, I'll break this up into 3 SERVER and 1 DRIVERS ticket. |
| Comment by Luke Lovett [ 09/Oct/13 ] |
|
Just updated this ticket with the mongo shell's output after connecting to the server using the expired certificate. |
| Comment by Eric Milkie [ 09/Oct/13 ] |
|
Someone asked about this for 2.4 and it actually turns out to be pretty hard to validate a server certificate using the OpenSSL API, without an actual SSL_connect/accept handshake. But I would still expect the mongo shell or other drivers to reject connecting to a server with an expired certificate. |
| Comment by Andy Schwerin [ 09/Oct/13 ] |
|
I think mongod should warn about the expired certificate at startup, but it's the client's job to care. |