[SERVER-11107] By default, mongod should not start with an expired or invalid server certificate Created: 09/Oct/13  Updated: 27/Oct/15  Resolved: 17/Jul/14

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.7.4

Type: Bug Priority: Major - P3
Reporter: Luke Lovett Assignee: Melissa O'Sullivan
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File ca_377.pem     File client_377.pem     File openssl.cnf     File server_expired.pem    
Issue Links:
Related
related to SERVER-14713 mongo shell default ssl behavior Closed
related to SERVER-10330 Perform SSL server certificate valida... Closed
is related to SERVER-10961 Warn if a server certificate is about... Closed
is related to DOCS-4331 Document that mongod should not start... Closed
is related to SERVER-8700 Start mongo shell with expired cert -... Closed
Tested
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

I started mongod like this:

mongod --sslOnNormalPorts --sslPEMKeyFile libs/server_expired.pem --sslCAFile libs/ca_377.pem --smallfiles --nojournal --dbpath data/db

and connect to it with a mongo shell (there are no startup warnings specifically about the expired certificate):

mongo --ssl --sslPEMKeyFile libs/client_377.pem
MongoDB shell version: 2.5.3-pre-
connecting to: test
Server has startup warnings:
2013-10-09T20:25:22.712+0000 [initandlisten]
2013-10-09T20:25:22.712+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-10-09T20:25:22.712+0000 [initandlisten] **       Not recommended for production.
2013-10-09T20:25:22.712+0000 [initandlisten]
2013-10-09T20:25:22.712+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000
2013-10-09T20:25:22.712+0000 [initandlisten]
> 

This is the log output from mongod during the process:

2013-10-09T19:24:29.401+0000 [initandlisten] MongoDB starting : pid=16676 port=27017 dbpath=data/db 64-bit host=llmac
2013-10-09T19:24:29.401+0000 [initandlisten]
2013-10-09T19:24:29.401+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-10-09T19:24:29.401+0000 [initandlisten] **       Not recommended for production.
2013-10-09T19:24:29.401+0000 [initandlisten]
2013-10-09T19:24:29.401+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000
2013-10-09T19:24:29.401+0000 [initandlisten]
2013-10-09T19:24:29.401+0000 [initandlisten] db version v2.5.3-pre-
2013-10-09T19:24:29.401+0000 [initandlisten] git version: c70a72b151fcfab26d0db5e8ceeb7c04a96ce449
2013-10-09T19:24:29.401+0000 [initandlisten] OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
2013-10-09T19:24:29.401+0000 [initandlisten] build info: Darwin llmac 12.5.0 Darwin Kernel Version 12.5.0: Mon Jul 29 16:33:49 PDT 2013; root:xnu-2050.48.11~1/RELEASE_X86_64 x86_64 BOOST_LIB_VERSION=1_49
2013-10-09T19:24:29.401+0000 [initandlisten] allocator: tcmalloc
2013-10-09T19:24:29.401+0000 [initandlisten] options: { dbpath: "data/db", nojournal: true, smallfiles: true, ssl: { CAFile: "libs/ca_377.pem", PEMKeyFile: "libs/server_expired.pem", sslOnNormalPorts: true } }
2013-10-09T19:24:29.407+0000 [initandlisten] waiting for connections on port 27017 ssl
2013-10-09T19:24:43.759+0000 [initandlisten] connection accepted from 127.0.0.1:49513 #1 (1 connection now open)
2013-10-09T19:25:29.396+0000 [clientcursormon] mem (MB) res:39 virt:2472
2013-10-09T19:25:29.396+0000 [clientcursormon]  mapped:32
2013-10-09T19:25:29.396+0000 [clientcursormon]  connections:1

Commands I used to create the certificates:

# Create CA
openssl req -new -nodes -x509 -days 365 -out testCA/cacert.pem -keyout testCA/private/cakey.pem -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QA/CN=TEST-377-CA" -config openssl.cnf
cp testCA/cacert.pem libs/ca_377.pem
 
# Client certificate
openssl req -newkey rsa:1024 -nodes -sha1 -keyout testClient.key -keyform PEM -out testClient.req -outform PEM -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QAClient/CN=TEST-377-CLIENT"  -config openssl.cnf
openssl ca -in testClient.req -out testClient.crt -config openssl.cnf
cat testClient.crt testClient.key > libs/client_377.pem
 
# Server expired certificate
openssl req -newkey rsa:1024 -nodes -sha1 -keyout expiredServer.key -keyform PEM -out expiredServer.req -outform PEM -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QAServerExpired/CN=TEST-377-SERVER" -config openssl.cnf
openssl ca -in expiredServer.req -out expiredServer.crt -config openssl.cnf -startdate 120815080000Z -enddate 120815080100Z
cat expiredServer.crt expiredServer.key > libs/server_expired.pem

Participants:

 Description   

MongoDB servers should refuse to start when launched with an expired SSL certificate. Further, there should be a command line option to override this behavior, which should simply put a warning in the startup log.



 Comments   
Comment by Andreas Nilsson [ 21/Oct/14 ]

kmaley@paypal.com please file a ticket in the Commercial Support project or the MongoDB user group https://groups.google.com/forum/#!forum/mongodb-user

Regards,
Andreas

Comment by Kishore Maley [ 21/Oct/14 ]

can somebody tell me how to generate the cacert from the pfx file?

Comment by Githook User [ 08/Aug/14 ]

Author:

{u'username': u'melissaosullivan', u'name': u'melissaosullivan', u'email': u'melissakellyosullivan@gmail.com'}

Message: SERVER-11107 Server SSL certificate expiration date check tests

Closes #734

Signed-off-by: Benety Goh <benety@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/1b1842be9b0b4500eb00b110841eaed41003b742

Comment by Melissa O'Sullivan [ 17/Jul/14 ]

A mongod with SSL will no longer start with an X.509 ticket that is expired or not yet valid. Also log messages warn if the certificate will expire in the next 30 days.

Comment by Githook User [ 17/Jul/14 ]

Author:

{u'username': u'melissaosullivan', u'name': u'melissaosullivan', u'email': u'melissakellyosullivan@gmail.com'}

Message: SERVER-11107 added ssl certificate expiration monitoring

Closes #712
Signed-off-by: Matt Kangas <matt.kangas@mongodb.com>
Branch: master
https://github.com/mongodb/mongo/commit/bc780e2e72f6862ac126f4eb5617cc58ef2657b4

Comment by Andreas Nilsson [ 21/Oct/13 ]

milkie is right, verifying a random certificate using OpenSSL is a pretty messy business. Lots of undocumented API calls happening, essentially we need to mimic what OpenSSL does internally.

This piece of code allegedly does this but it's pretty complex for the actual task. Is it worth it?

http://stackoverflow.com/questions/16291809/openssl-programatically-verify-certificate-chain-in-c-in-memory-certs

Comment by Andy Schwerin [ 15/Oct/13 ]

andreas.nilsson@10gen.com, yes, I do. Organizations screw up, and fail to get new certs issued in time for cutover. If it weren't for the huge number of options, I'd actually let the drivers be configured to accept expired certs from matching host names, for those situations, rather than just ignoring validity.

Comment by Andreas Nilsson [ 15/Oct/13 ]

schwerin do we really want to add a flag to allow this behavior?

Comment by Andreas Nilsson [ 15/Oct/13 ]

Chopping it up into different tickets sounds reasonable. This somewhat related to performing hostname validation of the server cert. Maybe we should ha ve a general for performing server-cert validation. https://jira.mongodb.org/browse/SERVER-10330

Comment by Andy Schwerin [ 15/Oct/13 ]

OK, I think there might be a couple of work items, here:

  1. MongoDB servers should at least warn, and probably fail to start if their certificate is not valid at the time they start up.
  2. The MongoDB shell should refuse to connect to servers with currently-invalid certificates
    • Unless the shell was configured to ignore the validity of the server certificate
  3. The C++ client should be similarly configurable.
  4. Other language drivers should be similarly configurable.

andreas.nilsson@10gen.com, if you agree, I'll break this up into 3 SERVER and 1 DRIVERS ticket.

Comment by Luke Lovett [ 09/Oct/13 ]

Just updated this ticket with the mongo shell's output after connecting to the server using the expired certificate.

Comment by Eric Milkie [ 09/Oct/13 ]

Someone asked about this for 2.4 and it actually turns out to be pretty hard to validate a server certificate using the OpenSSL API, without an actual SSL_connect/accept handshake. But I would still expect the mongo shell or other drivers to reject connecting to a server with an expired certificate.

Comment by Andy Schwerin [ 09/Oct/13 ]

I think mongod should warn about the expired certificate at startup, but it's the client's job to care.

Generated at Thu Feb 08 03:24:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.