[SERVER-11246] C++ driver allows CRLFile to be set without CAFile Created: 17/Oct/13 Updated: 11/Jul/16 Resolved: 19/Nov/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.5.5 |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Luke Lovett | Assignee: | Shaun Verch |
| Resolution: | Done | Votes: | 0 |
| Labels: | 26qa | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Steps To Reproduce: | 1. Start up mongod like this:
2. You cannot connect with mongo if you use sslCAFile:
3. If you don't specify sslCAFile, you can connect:
|
||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
It is possible to connect to a mongod (and probably mongos) whose sslPEMKeyFile is in the client's CRL if the client doesn't specify sslCAFile. I would expect that the client not be able to connect, and a message would be displayed similar to the one that displays if you do specify sslCAFile. Interestingly, if you try to do this in reverse (don't specify sslCAFile on the server but give it a CRL), mongod displays:
This behavior should be part of client programs, too. |
| Comments |
| Comment by Githook User [ 19/Nov/13 ] |
|
Author: {u'username': u'Zarkantho', u'name': u'Shaun Verch', u'email': u'shaun.verch@10gen.com'}Message: |
| Comment by Eric Milkie [ 17/Oct/13 ] |
|
You can't do CRL checking without a CA. This is correctly constrained on the server, but the mongo shell (and the C++ driver) does [incorrectly] allow you to specify a CRL without a CA. The CRL is ignored in this case. |