[SERVER-39376] 4.2 with ssl has mixed translation in getCmdLineOpts Created: 05/Feb/19  Updated: 29/Oct/23  Resolved: 12/Feb/19

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 4.1.9

Type: Bug Priority: Major - P3
Reporter: Louisa Berger Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: mms-s
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Sprint: Security 2019-02-25
Participants:

 Description   

If you start a 4.2 process with the following in the config file:

 ssl:
    CAFile: /tmp/mms-automation/test/output/certificates/mmsCA.pem
    PEMKeyFile: /tmp/mms-automation/test/output/certificates/cert-763911616
    clusterFile: /tmp/mms-automation/test/output/certificates/cert-827743263
    mode: requireSSL

When you run getCmdLineOpts, you get the following:

tls: {
  certificateKeyFile:/tmp/mms-automation/test/output/certificates/cert-991138764, 
  clusterFile:/tmp/mms-automation/test/output/certificates/cert-391280315, 
  CAFile:/tmp/mms-automation/test/output/certificates/mmsCA.pem
}, 
ssl: {
  mode:requireSSL
}

The fact that the ssl arguments are translated at all is unexpected – the server hasn't done that for other deprecated args.

Automation cares about this because we run getCmdLineOpts to check that the process is running with the correct process arguments.

Our preference here would be that the server translates none of the arguments – that getCmdLineOpts returns what the user actually started with in the conf file. If that's not possible, to translate all of the arguments, and not leave the dangling "ssl" in a case like this.

Thank you!
(spoke to spencer.jackson who recommended filing a ticket)



 Comments   
Comment by Githook User [ 12/Feb/19 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-39376 Canonicalize net.ssl.mode to net.tls.mode
Branch: master
https://github.com/mongodb/mongo/commit/2c65bbe94d04ac0fa62f4fc51a2ece2e748de739

Comment by Sara Golemon [ 12/Feb/19 ]

It's not going to be possible to not-canonicalize the deprecated settings, it happens too early. I'm curious to hear more about "the server hasn't done that for other deprecated args" because that behavior isn't new. It's possible that deprecated args which you're thinking of are presented in the configs as separate arguments which happen to do the same thing (and we have quite a number of those).

sslMode is special because it's not actually treated as a rename of the old settings since we validate the values passed translate (e.g. sslMode=requireSSL or tlsMode=requireTLS are okay, but sslMode=requireTLS or tlsMode=requireSSL are not). That said, I can easily add an explicit canonicalization to transform this to the tls variant so that it aligns with the rest of the normalized settings.

Generated at Thu Feb 08 04:51:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.