[SERVER-8209] reverse logic of --sslForceCertificateValidation Created: 17/Jan/13  Updated: 11/Jul/16  Resolved: 18/Jan/13

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: 2.4.0-rc0
Fix Version/s: 2.4.0-rc0

Type: Bug Priority: Major - P3
Reporter: Christian Amor Kvalheim Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

osx 10.8,


Issue Links:
Related
is related to DRIVERS-65 SSL certificate validation testing Closed
Operating System: ALL
Steps To Reproduce:

Have not figured out how to reproduce it using the mongo shell as it presents the credentials correctly. I've added a link to the node.js test that should break but does not. Ping me if you need help setting it up.

https://github.com/mongodb/node-mongodb-native/blob/sslValidation/test/auxilliary/ssl/ssl_present_certificate_test.js#L41

Participants:

 Description   

Right now if you don't provide the --sslForceCertificateValidation flag the drivers can connect to the server without presenting a valid client certificate. This is a bad default as it can cause misconfiguration of the server making clients believe that they are validating certificates when in fact they are not unless they provide the --sslForceCertificateValidation flag.

I propose you get rid of the --sslForceCertificateValidation set validation as default if you provide a certificate store and add a new flag called

--sslIgnoreCertificateValidation

This makes the action of lowering the security level a user explicit decision and the default is the strongest possible validation.

----------------------------------------
The stuff under here is from when I discovered the behavior

Running the mongod instance with the following parameters

mongod --noprealloc --smallfiles --dbpath /Users/ck/coding/projects/node-mongodb-native/data/data-27017 --port 27017 --journal --sslOnNormalPorts --sslPEMKeyFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/server.pem --sslCAFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/ca.pem --sslCRLFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/crl.pem

When providing key and cert in node.js (as needed in node.js) the server responds with.

Thu Jan 17 15:48:29.545 [initandlisten] connection accepted from 127.0.0.1:59572 #2 (1 connection now open)
Thu Jan 17 15:48:29.555 [conn2] end connection 127.0.0.1:59572 (0 connections now open)

in log which is as expected but if I only provide the cert

Thu Jan 17 15:49:23.039 [initandlisten] connection accepted from 127.0.0.1:59573 #3 (1 connection now open)
Thu Jan 17 15:49:23.041 [conn3] no SSL certificate provided by peer
Thu Jan 17 15:49:23.048 [conn3] end connection 127.0.0.1:59573 (0 connections now open)

But socket stays open and operations are executed correctly against the db



 Comments   
Comment by auto [ 21/Jan/13 ]

Author:

{u'date': u'2013-01-21T16:39:09Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-8209 with weak validation, 'no certificate' is not an error
Branch: master
https://github.com/mongodb/mongo/commit/7ea3aa490775b2076433123f79ab7235d07328e5

Comment by auto [ 18/Jan/13 ]

Author:

{u'date': u'2013-01-18T19:23:52Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}

Message: SERVER-8209 reverse logic of --sslForceCertificateValidation with --sslWeakCertificateValidation
Branch: master
https://github.com/mongodb/mongo/commit/1a1f72cc2a298289a0303c0eb316f363c75be057

Comment by Eric Milkie [ 17/Jan/13 ]

Going to implement --sslWeakCertificateValidation instead, with the opposite logic of the 'force' one.

Comment by Christian Amor Kvalheim [ 17/Jan/13 ]

Changed the definition of the ticket after talking to Eric

Comment by Christian Amor Kvalheim [ 17/Jan/13 ]

yeah the inverse makes more sense as it would be a explicit override to turn off the validation which would make it less likely for a customer to put in production and forgetting the --sslForceCertificateValidation parameter.

Comment by Eric Milkie [ 17/Jan/13 ]

Using a CA without the force flag would be used for transition/upgrade purposes. Do you think it should be the default when using a CA, and the flag would only need to be used to turn off required client certificates?

Comment by Christian Amor Kvalheim [ 17/Jan/13 ]

ok that seems a bit counterintuitive, if you provide a ca for the ssl is that not implicitly asking for sslForceCertificateValidation. are there any circumstances where you want validation to work but not close the connection ?

If you pass an invalide certificate it will close the connection even if --sslForceCertificateValidation is not specified that's the reason I logged the ticket as it seems inconsistent.

Comment by Eric Milkie [ 17/Jan/13 ]

If you want the connection to close when no certificate is provided, you must use --sslForceCertificateValidation

Generated at Thu Feb 08 03:16:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.