[SERVER-45387] mongod will start with allowConnectionWithoutCertificates: true and authenticationMechanism: MONGODB-X509 Created: 07/Jan/20  Updated: 16/Jan/20  Resolved: 14/Jan/20

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Ella Shurhavetsky Assignee: Spencer Jackson
Resolution: Won't Do Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Security 2019-01-27
Participants:

 Description   

The mongod process will start with the following unreasonable setting, possible security glitch:

ssl:
  ...
    allowConnectionWithoutCertificates: true
setParameter:
   authenticationMechanism: MONGODB-X509



 Comments   
Comment by Danny Hatcher (Inactive) [ 15/Jan/20 ]

We run into the same issues of it not really being a contradiction and of needing to code special logic to capture the config. As Spencer mentioned, there are scenarios where you actually would implement it that way.

For what its worth, the docs for allowConnectionsWithoutCertificates say:

Use the net.tls.allowConnectionsWithoutCertificates option if you have a mixed deployment that includes clients that do not or cannot present certificates to the mongos or mongod.

If you are using x509 certs as your sole method of authentication, then you do not have the above deployment so shouldn't use the feature.

Comment by Ella Shurhavetsky [ 15/Jan/20 ]

spencer.jacksondaniel.hatcher
Thank you very much for reply. If the direction is to leave it as is, I think there is still a few things that are required:

What do you say?

Comment by Spencer Jackson [ 14/Jan/20 ]

Daniel's summary is correct. I'm disinclined to complicate options parsing, by adding a dependency edge between the TLS options parsing and authentication mechanism options parsing. Clients which did not present client certificates would be able to establish connections to servers, but would be unable to authenticate. If the client attempted to perform MONGODB-X509 authentication, it would get back an AuthenticationFailed error, with a message. There are also scenarios where it would be reasonable for clients to connect without presenting certificates to MongoDB servers and not performing authentication. For example, a client process which monitored a server and performed health checks wouldn't need to authenticate, and so wouldn't need to be allowed into a trust domain by the trusted Certificate Authority.

Comment by Danny Hatcher (Inactive) [ 07/Jan/20 ]

You can have that as one of the possible authentication mechanisms along with other non-certificate related ones so we can't block that string existing. We'd have to block this config when there is only one authentication mechanism and it is MONGODB-X509. I'm personally not a fan of adding specific handling for areas where a bug doesn't exist; connections would occur but it would be obvious from the server-side why they failed. But I'll defer to the Security team.

Comment by Carl Champain (Inactive) [ 07/Jan/20 ]

Hi adam.schwartz,

Passing this ticket along to the Security team for further investigation.

Generated at Thu Feb 08 05:08:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.