[SERVER-8209] reverse logic of --sslForceCertificateValidation Created: 17/Jan/13 Updated: 11/Jul/16 Resolved: 18/Jan/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | 2.4.0-rc0 |
| Fix Version/s: | 2.4.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Christian Amor Kvalheim | Assignee: | Eric Milkie |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
osx 10.8, |
||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Steps To Reproduce: | Have not figured out how to reproduce it using the mongo shell as it presents the credentials correctly. I've added a link to the node.js test that should break but does not. Ping me if you need help setting it up. |
||||||||
| Participants: | |||||||||
| Description |
|
Right now if you don't provide the --sslForceCertificateValidation flag the drivers can connect to the server without presenting a valid client certificate. This is a bad default as it can cause misconfiguration of the server making clients believe that they are validating certificates when in fact they are not unless they provide the --sslForceCertificateValidation flag. I propose you get rid of the --sslForceCertificateValidation set validation as default if you provide a certificate store and add a new flag called --sslIgnoreCertificateValidation This makes the action of lowering the security level a user explicit decision and the default is the strongest possible validation. ---------------------------------------- Running the mongod instance with the following parameters mongod --noprealloc --smallfiles --dbpath /Users/ck/coding/projects/node-mongodb-native/data/data-27017 --port 27017 --journal --sslOnNormalPorts --sslPEMKeyFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/server.pem --sslCAFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/ca.pem --sslCRLFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/crl.pem When providing key and cert in node.js (as needed in node.js) the server responds with. Thu Jan 17 15:48:29.545 [initandlisten] connection accepted from 127.0.0.1:59572 #2 (1 connection now open) in log which is as expected but if I only provide the cert Thu Jan 17 15:49:23.039 [initandlisten] connection accepted from 127.0.0.1:59573 #3 (1 connection now open) But socket stays open and operations are executed correctly against the db |
| Comments |
| Comment by auto [ 21/Jan/13 ] |
|
Author: {u'date': u'2013-01-21T16:39:09Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}Message: |
| Comment by auto [ 18/Jan/13 ] |
|
Author: {u'date': u'2013-01-18T19:23:52Z', u'email': u'milkie@10gen.com', u'name': u'Eric Milkie'}Message: |
| Comment by Eric Milkie [ 17/Jan/13 ] |
|
Going to implement --sslWeakCertificateValidation instead, with the opposite logic of the 'force' one. |
| Comment by Christian Amor Kvalheim [ 17/Jan/13 ] |
|
Changed the definition of the ticket after talking to Eric |
| Comment by Christian Amor Kvalheim [ 17/Jan/13 ] |
|
yeah the inverse makes more sense as it would be a explicit override to turn off the validation which would make it less likely for a customer to put in production and forgetting the --sslForceCertificateValidation parameter. |
| Comment by Eric Milkie [ 17/Jan/13 ] |
|
Using a CA without the force flag would be used for transition/upgrade purposes. Do you think it should be the default when using a CA, and the flag would only need to be used to turn off required client certificates? |
| Comment by Christian Amor Kvalheim [ 17/Jan/13 ] |
|
ok that seems a bit counterintuitive, if you provide a ca for the ssl is that not implicitly asking for sslForceCertificateValidation. are there any circumstances where you want validation to work but not close the connection ? If you pass an invalide certificate it will close the connection even if --sslForceCertificateValidation is not specified that's the reason I logged the ticket as it seems inconsistent. |
| Comment by Eric Milkie [ 17/Jan/13 ] |
|
If you want the connection to close when no certificate is provided, you must use --sslForceCertificateValidation |