[SERVER-85910] Setting allowConnectionsWithoutCertificates is ignored Created: 30/Jan/24 Updated: 05/Feb/24 |
|
| Status: | Investigating |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 7.0.5 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Wernfried Domscheit | Assignee: | Brad Moore |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | TLS/SSL, security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Operating System: | ALL | ||||||||
| Sprint: | Security 2024-02-05, Security 2024-02-19 | ||||||||
| Participants: | |||||||||
| Description |
|
I have setup a stand-alone mongod like this:
Documentation says:
However, the behavior is different. If I don't provide a client certificate, then the connection is rejected (instead of encrypts the TLS/SSL connection, assuming the connection is successfully made):
If I provide an invalid client certificate, then the connection is successful (instead of reject clients):
If the client provides a valid certificate, then of course everything is working fine and as expected:
Tested in Windows 10 environment.
|
| Comments |
| Comment by Wernfried Domscheit [ 04/Feb/24 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
I did a mistake in my initial description. The mongo-ca.cer certificate is stored in my system certificate store, thus client certificate mongo.client-bad.pem was accepted. It works as is should work, just the documentation is wrong. Here the relevant information of uploaded certificates:
And here are again the test cases:
As already stated Documentation says:
That's not correct. For clients that don't provide a (client) certificate, the connection is rejected if net.tls.allowConnectionsWithoutCertificates = false
Kind Regards
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Brad Moore [ 04/Feb/24 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
wernfried.domscheit@sunrise.net I've attempted to reproduce the issue you're seeing but am not seeing the same behavior. In case some small difference in the certs is somehow causing different behavior, could you attach a set of certs (mongo-ca.cer, mongo.server.pem, mongo.client.pem, mongo.client-bad.pem) that you've confirmed exhibit this behavior?
Of course, please don't upload any cert that you actually use anywhere | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Wernfried Domscheit [ 03/Feb/24 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
I think this part of documentation is misleading:
TLS/SSL encryption of the connection is managed by the server certificate (an invalid server certificate is still used to encrypt the connection, that's properly documented). However, the client certificate does not have any influence whether a connection is TLS/SSL encrypted or not. Yes, if the client does not provide a certificate then the mongod or mongos encrypts the TLS/SSL connection.
|