[SERVER-45387] mongod will start with allowConnectionWithoutCertificates: true and authenticationMechanism: MONGODB-X509 Created: 07/Jan/20 Updated: 16/Jan/20 Resolved: 14/Jan/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Ella Shurhavetsky | Assignee: | Spencer Jackson |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Sprint: | Security 2019-01-27 |
| Participants: |
| Description |
|
The mongod process will start with the following unreasonable setting, possible security glitch:
|
| Comments |
| Comment by Danny Hatcher (Inactive) [ 15/Jan/20 ] |
|
We run into the same issues of it not really being a contradiction and of needing to code special logic to capture the config. As Spencer mentioned, there are scenarios where you actually would implement it that way. For what its worth, the docs for allowConnectionsWithoutCertificates say:
If you are using x509 certs as your sole method of authentication, then you do not have the above deployment so shouldn't use the feature. |
| Comment by Ella Shurhavetsky [ 15/Jan/20 ] |
|
spencer.jacksondaniel.hatcher
What do you say? |
| Comment by Spencer Jackson [ 14/Jan/20 ] |
|
Daniel's summary is correct. I'm disinclined to complicate options parsing, by adding a dependency edge between the TLS options parsing and authentication mechanism options parsing. Clients which did not present client certificates would be able to establish connections to servers, but would be unable to authenticate. If the client attempted to perform MONGODB-X509 authentication, it would get back an AuthenticationFailed error, with a message. There are also scenarios where it would be reasonable for clients to connect without presenting certificates to MongoDB servers and not performing authentication. For example, a client process which monitored a server and performed health checks wouldn't need to authenticate, and so wouldn't need to be allowed into a trust domain by the trusted Certificate Authority. |
| Comment by Danny Hatcher (Inactive) [ 07/Jan/20 ] |
|
You can have that as one of the possible authentication mechanisms along with other non-certificate related ones so we can't block that string existing. We'd have to block this config when there is only one authentication mechanism and it is MONGODB-X509. I'm personally not a fan of adding specific handling for areas where a bug doesn't exist; connections would occur but it would be obvious from the server-side why they failed. But I'll defer to the Security team. |
| Comment by Carl Champain (Inactive) [ 07/Jan/20 ] |
|
Hi adam.schwartz, Passing this ticket along to the Security team for further investigation. |