[SERVER-11246] C++ driver allows CRLFile to be set without CAFile Created: 17/Oct/13  Updated: 11/Jul/16  Resolved: 19/Nov/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.5.5

Type: Bug Priority: Minor - P4
Reporter: Luke Lovett Assignee: Shaun Verch
Resolution: Done Votes: 0
Labels: 26qa
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Steps To Reproduce:

1. Start up mongod like this:

mongod --sslMode sslOnly --sslPEMKeyFile jstests/libs/client_revoked.pem --sslCAFile jstests/libs/ca.pem

2. You cannot connect with mongo if you use sslCAFile:

mongo --ssl --sslPEMKeyFile jstests/libs/server.pem --sslCAFile jstests/libs/ca.pem --sslCRLFile jstests/libs/crl_client_revoked.pem
2013-10-17T18:33:31.970+0000 ssl imported 1 revoked certificate from the revocation list.
MongoDB shell version: 2.5.3-pre-
connecting to: 127.0.0.1:20000/test
2013-10-17T18:33:32.000+0000 ERROR: SSL peer certificate validation failed:certificate revoked
2013-10-17T18:33:32.001+0000 Error: socket exception [CONNECT_ERROR] for  at src/mongo/shell/mongo.js:148
exception: connect failed

3. If you don't specify sslCAFile, you can connect:

mongo --ssl --sslCRLFile jstests/libs/crl_client_revoked.pem --sslPEMKeyFile jstests/libs/server.pem
2013-10-17T18:34:09.707+0000 ssl imported 1 revoked certificate from the revocation list.
MongoDB shell version: 2.5.3-pre-
connecting to: 127.0.0.1:20000/test
Server has startup warnings:
2013-10-17T18:33:21.151+0000 [initandlisten]
2013-10-17T18:33:21.151+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
2013-10-17T18:33:21.151+0000 [initandlisten] **       Not recommended for production.
2013-10-17T18:33:21.151+0000 [initandlisten]
2013-10-17T18:33:21.151+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000
2013-10-17T18:33:21.151+0000 [initandlisten]
>

Participants:

 Description   

It is possible to connect to a mongod (and probably mongos) whose sslPEMKeyFile is in the client's CRL if the client doesn't specify sslCAFile. I would expect that the client not be able to connect, and a message would be displayed similar to the one that displays if you do specify sslCAFile. Interestingly, if you try to do this in reverse (don't specify sslCAFile on the server but give it a CRL), mongod displays:

Error storing command line: BadValue need sslCAFile with sslCRLFile

This behavior should be part of client programs, too.



 Comments   
Comment by Githook User [ 19/Nov/13 ]

Author:

{u'username': u'Zarkantho', u'name': u'Shaun Verch', u'email': u'shaun.verch@10gen.com'}

Message: SERVER-11246 Make ssl.CRLFile require ssl.CAFile
Branch: master
https://github.com/mongodb/mongo/commit/041f89d751c3c980f5305933f4e4fd5b9b6a6d16

Comment by Eric Milkie [ 17/Oct/13 ]

You can't do CRL checking without a CA. This is correctly constrained on the server, but the mongo shell (and the C++ driver) does [incorrectly] allow you to specify a CRL without a CA. The CRL is ignored in this case.
Note that this is a C++ driver issue. Presumably other drivers should be checked for this ability as well.

Generated at Thu Feb 08 03:25:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.