[SERVER-8662] SSL password obfuscation indicates password length Created: 22/Feb/13  Updated: 10/Dec/14  Resolved: 07/May/13

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Minor - P4
Reporter: Bryan Reinero Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Operating System: ALL
Steps To Reproduce:

openssl req -new -x509 -days 365 -nodes -out mongodb-cert.pem -passout pass:foo -keyout mongodb-cert.key

$ ps | grep mongo
21132 0.9 0.9 4461600 38468 s002 S+ 4:17PM 0:00.16 /Users/breinero/git/mongo/mongod --sslOnNormalPorts --sslPEMKeyFile /Users/breinero/qatest/mongo.pem --sslPEMKeyPassword xxx

Participants:

 Description   

Mongod obfuscates the command line so that the ssl key password is overwritten with 'x's but the number of 'x's indicate the length of the password. A single 'x' would be preferable regardless of actual password length.



 Comments   
Comment by Andy Schwerin [ 07/May/13 ]

This cannot be changed. The thing that we do on Linux isn't even guaranteed to work, AFAIK. The correct solution is either to take advantage of SERVER-8169, or to use separate key management machinery, instead of passing the password on the command line.

Generated at Thu Feb 08 03:18:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.