[SERVER-11231] mongod started with sslOnNormalPorts but without weakCert allows shell to connect without PEm Created: 17/Oct/13  Updated: 23/Oct/13  Resolved: 17/Oct/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.5.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Sridhar Nanjundeswaran Assignee: Andreas Nilsson
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Windows 7 Enterprise Build on 2008 R2
Git hash:
mongo - 1ea7e56cb2b8653d4b0453f04728033df34be9e1
enterprise - d919ef07f817832732d2a0a2ec68251bc161193a


Issue Links:
Depends
Operating System: ALL
Steps To Reproduce:
  • start mongodb with --sslOnNormalPort, PEM file
  • connect mongo shell with just --ssl option and no PEM file
Participants:

 Description   

The mongo shell should not be able to connect to the server with just --ssl if server does not specify sslWeakCertificateValidation



 Comments   
Comment by Andreas Nilsson [ 17/Oct/13 ]

When a correct CA-file is specified and weak validation is not turned on a client certificate should be required. If this is not the case than that is a bug introduced by including the sslMode parameter.

Comment by Sridhar Nanjundeswaran [ 17/Oct/13 ]

Same behavior seen with sslMode=sslOnly.

Also confirm that when sslCAFile is specified in both cases the shell cannot connect with just --ssl but not specifying --sslPEMKeyFile

Comment by Eric Milkie [ 17/Oct/13 ]

The server cannot check client certificate validity against a CA if you start the server with a self-signed certificate. If you want to require clients to present a certificate, you must start the server with --sslCAFile.

Generated at Thu Feb 08 03:25:15 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.