[SERVER-72839] Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided Created: 13/Jan/23  Updated: 29/Jan/24  Resolved: 07/Sep/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 7.0.5, 6.0.13, 5.0.24, 4.4.28
Fix Version/s: 7.1.0-rc4, 7.0.6, 5.0.25, 4.4.29, 6.0.14

Type: Bug Priority: Major - P3
Reporter: Erwin Pe Assignee: Brad Moore
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
is depended on by TOOLS-3463 Investigate changes in SERVER-72839: ... Needs Triage
is depended on by COMPASS-7197 Investigate changes in SERVER-72839: ... Closed
Documented
is documented by DOCS-16369 [SERVER] Investigate changes in SERVE... Closed
Problem/Incident
causes MONGOSH-1592 Account for server TLS option changes Closed
is caused by SERVER-23044 Fall back to system CA certs in the s... Closed
Related
related to SERVER-72234 System-wide CA certificate store not ... Closed
related to SERVER-82257 Add explicit --tlsUseSystemCA flag Closed
is related to SERVER-80677 Cert failures due to parallel tests Closed
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.0, v6.0, v5.0, v4.4, v4.2
Sprint: Security 2023-01-23, Security 2023-02-06, Security 2023-02-20, Security 2023-03-06, Security 2023-03-20, Security 2023-04-03, Security 2023-04-17, Security 2023-05-01, Security 2023-05-15, Security 2023-05-29, Security 2023-06-12, Security 2023-06-26, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04, Security 2023-09-18
Participants:

 Description   

The documentation says that:

If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.

However, when a server is configured with neither CAFile nor clusterCAFile, it will skip peer certificate validation on both ingress and egress TLS connections. The expectation is that on egress connection, the node (client) should at least verify the peer (server's) certificate using the system CA cert store.

Note, this only applies to server processes (mongod and mongos), the shell is not affected.



 Comments   
Comment by Githook User [ 28/Jan/24 ]

Author:

{'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}

Message: SERVER-72839, SERVER-80677, SERVER-82257, SERVER-85511, SERVER-84267: System CA Cert Verification Fix

(cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a)
(cherry picked from commit 0fa3e980681b3369fb369fe8d107350ab9547fa1)
(cherry picked from commit 9e65329f5ece552803735bb70ddcf29a9d94a989)
(cherry picked from commit 80995175cbe24fa2c998e20f62b92d24cac521e3)
(cherry picked from commit 7bf52c58275907eab6fb5b67d9b5207e4f3da202)

GitOrigin-RevId: 2e8dc5a43d49f9fde809fea7a546fa2b94928a8a
Branch: v4.4
https://github.com/mongodb/mongo/commit/c4a8534c26bc3c86b2c4be6128722811055767a0

Comment by Githook User [ 27/Jan/24 ]

Author:

{'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}

Message: SERVER-72839, SERVER-80677, SERVER-82257, SERVER-85511, SERVER-84267: System CA Cert Verification Fix

(cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a)
(cherry picked from commit 0fa3e980681b3369fb369fe8d107350ab9547fa1)
(cherry picked from commit 9e65329f5ece552803735bb70ddcf29a9d94a989)
(cherry picked from commit 80995175cbe24fa2c998e20f62b92d24cac521e3)
(cherry picked from commit 7bf52c58275907eab6fb5b67d9b5207e4f3da202)

GitOrigin-RevId: 4d95b44dd90ddf18dfd64bdc030da785ef067f14
Branch: v5.0
https://github.com/mongodb/mongo/commit/1d959ddb773145fc2df52ed6ee0077a6c2f75442

Comment by Githook User [ 27/Jan/24 ]

Author:

{'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}

Message: SERVER-72839, SERVER-80677, SERVER-82257, SERVER-85511, SERVER-84267: System CA Cert Verification Fix

(cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a)
(cherry picked from commit 0fa3e980681b3369fb369fe8d107350ab9547fa1)
(cherry picked from commit 9e65329f5ece552803735bb70ddcf29a9d94a989)
(cherry picked from commit 80995175cbe24fa2c998e20f62b92d24cac521e3)
(cherry picked from commit 7bf52c58275907eab6fb5b67d9b5207e4f3da202)

GitOrigin-RevId: c40fd9ab752ef0beecc0f0fb1c28a76a4a77570e
Branch: v6.0
https://github.com/mongodb/mongo/commit/45d4dc33c2929d8578e45c55d6348d646d02123d

Comment by Githook User [ 26/Jan/24 ]

Author:

{'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}

Message: SERVER-72839, SERVER-80677, SERVER-82257, SERVER-85511, SERVER-84267: System CA Cert Verification Fix

(cherry picked from commit 3e37b1e2a4c341cd456125c804f7700b3056519a)
(cherry picked from commit 0fa3e980681b3369fb369fe8d107350ab9547fa1)
(cherry picked from commit 9e65329f5ece552803735bb70ddcf29a9d94a989)
(cherry picked from commit 80995175cbe24fa2c998e20f62b92d24cac521e3)
(cherry picked from commit 7bf52c58275907eab6fb5b67d9b5207e4f3da202)

GitOrigin-RevId: 9428092448e120f38d2d8541d3e731fe452a9740
Branch: v7.0
https://github.com/mongodb/mongo/commit/3073e288eb72a61956ec4034a940689aa861868a

Comment by Githook User [ 25/Aug/23 ]

Author:

{'name': 'W. Brad Moore', 'email': 'brad.moore@mongodb.com', 'username': 'wbradmoore'}

Message: SERVER-72839: Server no longer skips peer certificate validation if neither CAFile nor clusterCAFile is provided
Branch: master
https://github.com/mongodb/mongo/commit/3e37b1e2a4c341cd456125c804f7700b3056519a

Generated at Thu Feb 08 06:22:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.