[SERVER-72839] Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided Created: 13/Jan/23 Updated: 29/Jan/24 Resolved: 07/Sep/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 7.0.5, 6.0.13, 5.0.24, 4.4.28 |
| Fix Version/s: | 7.1.0-rc4, 7.0.6, 5.0.25, 4.4.29, 6.0.14 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Erwin Pe | Assignee: | Brad Moore |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Backport Requested: |
v7.0, v6.0, v5.0, v4.4, v4.2
|
||||||||||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | Security 2023-01-23, Security 2023-02-06, Security 2023-02-20, Security 2023-03-06, Security 2023-03-20, Security 2023-04-03, Security 2023-04-17, Security 2023-05-01, Security 2023-05-15, Security 2023-05-29, Security 2023-06-12, Security 2023-06-26, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04, Security 2023-09-18 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
The documentation says that: If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server. However, when a server is configured with neither CAFile nor clusterCAFile, it will skip peer certificate validation on both ingress and egress TLS connections. The expectation is that on egress connection, the node (client) should at least verify the peer (server's) certificate using the system CA cert store. Note, this only applies to server processes (mongod and mongos), the shell is not affected. |
| Comments |
| Comment by Githook User [ 28/Jan/24 ] |
|
Author: {'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}Message: (cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a) GitOrigin-RevId: 2e8dc5a43d49f9fde809fea7a546fa2b94928a8a |
| Comment by Githook User [ 27/Jan/24 ] |
|
Author: {'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}Message: (cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a) GitOrigin-RevId: 4d95b44dd90ddf18dfd64bdc030da785ef067f14 |
| Comment by Githook User [ 27/Jan/24 ] |
|
Author: {'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}Message: (cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a) GitOrigin-RevId: c40fd9ab752ef0beecc0f0fb1c28a76a4a77570e |
| Comment by Githook User [ 26/Jan/24 ] |
|
Author: {'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}Message: (cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a) GitOrigin-RevId: 9428092448e120f38d2d8541d3e731fe452a9740 |
| Comment by Githook User [ 25/Aug/23 ] |
|
Author: {'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}Message: |