[SERVER-8662] SSL password obfuscation indicates password length Created: 22/Feb/13 Updated: 10/Dec/14 Resolved: 07/May/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Minor - P4 |
| Reporter: | Bryan Reinero | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 0 |
| Labels: | neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Operating System: | ALL | ||||
| Steps To Reproduce: | openssl req -new -x509 -days 365 -nodes -out mongodb-cert.pem -passout pass:foo -keyout mongodb-cert.key $ ps | grep mongo |
||||
| Participants: | |||||
| Description |
|
Mongod obfuscates the command line so that the ssl key password is overwritten with 'x's but the number of 'x's indicate the length of the password. A single 'x' would be preferable regardless of actual password length. |
| Comments |
| Comment by Andy Schwerin [ 07/May/13 ] |
|
This cannot be changed. The thing that we do on Linux isn't even guaranteed to work, AFAIK. The correct solution is either to take advantage of |