[SERVER-24682] allowConnectionsWithoutCertificates not working Created: 21/Jun/16  Updated: 14/Jul/16  Resolved: 23/Jun/16

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.6
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Oreste Panaia Assignee: Kelsey Schubert
Resolution: Cannot Reproduce Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Steps To Reproduce:

set ssl.mode to requireSSL
set PEMKeyFile
and set CAFile

attempt to connect with mongo shell
whatever the value of allowConnectionsWithoutCertificates is (either true or false), mongo will not connect and the server log contains the message "no SSL certificate provided by user"

Participants:

 Description   

When setting net.ssl.mode to requireSSL and when specifying a
net.ssl.CAFile the option allowConnectionsWithoutCertificates is ignored irrespective of whether it is set to true or false. (Also, the documentation talks about enabled and disabled, rather than true or false.)

db version v3.0.6
git version: 1ef45a23a4c5e3480ac919b28afcba3c615488f2



 Comments   
Comment by Kelsey Schubert [ 23/Jun/16 ]

Hi oreste,

As per Kinh's comment, we are unable to reproduce the issue describe. I would recommend that you review the configuration of your environment to determine the root cause of this behavior. For MongoDB-related support discussion please post on the mongodb-users group or Stack Overflow with the mongodb tag. A question like this involving more discussion would be best posted on the mongodb-users group.

Thank you,
Thomas

Comment by Kinh Hoang [ 23/Jun/16 ]

I have been unable to reproduce the error.
I started mongod with flags

"--sslMode requireSSL --sslPEMKeyFile trusted-client.pem --sslCAFile trusted-ca.pem --sslAllowConnectionsWithoutCertificates"


And connected with the shell using the flags

--ssl --sslAllowInvalidCertificates

as well as

--ssl --sslCAFile trusted-ca.pem


I also tested with a config file with contents

net:
   ssl:
      mode: requireSSL
      PEMKeyFile: trusted-client.pem
      CAFile: trusted-ca.pem
      allowConnectionsWithoutCertificates: true

For all cases, mongod still logged: "no SSL certificate provided by peer", but I was able to connect just fine when allowConnectionsWithoutCertificates was set, and not when allowConnectionsWithoutCertificates was left out.

Comment by Ramon Fernandez Marina [ 21/Jun/16 ]

oreste, what error message does the client get? Would be useful to see a transcript of the client session and the corresponding server logs for the failing connection.

Thanks,
Ramón.

Generated at Thu Feb 08 04:07:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.