[SERVER-11231] mongod started with sslOnNormalPorts but without weakCert allows shell to connect without PEm Created: 17/Oct/13 Updated: 23/Oct/13 Resolved: 17/Oct/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 2.5.2 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Sridhar Nanjundeswaran | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Windows 7 Enterprise Build on 2008 R2 |
||
| Issue Links: |
|
||||
| Operating System: | ALL | ||||
| Steps To Reproduce: |
|
||||
| Participants: | |||||
| Description |
|
The mongo shell should not be able to connect to the server with just --ssl if server does not specify sslWeakCertificateValidation |
| Comments |
| Comment by Andreas Nilsson [ 17/Oct/13 ] |
|
When a correct CA-file is specified and weak validation is not turned on a client certificate should be required. If this is not the case than that is a bug introduced by including the sslMode parameter. |
| Comment by Sridhar Nanjundeswaran [ 17/Oct/13 ] |
|
Same behavior seen with sslMode=sslOnly. Also confirm that when sslCAFile is specified in both cases the shell cannot connect with just --ssl but not specifying --sslPEMKeyFile |
| Comment by Eric Milkie [ 17/Oct/13 ] |
|
The server cannot check client certificate validity against a CA if you start the server with a self-signed certificate. If you want to require clients to present a certificate, you must start the server with --sslCAFile. |