[SERVER-8700] Start mongo shell with expired cert - should fail. Created: 25/Feb/13  Updated: 20/Oct/23  Resolved: 20/Oct/23

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Gregor Macadam Assignee: Backlog - Security Team
Resolution: Won't Do Votes: 0
Labels: rp-c
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File mongo_expired.pem    
Issue Links:
Depends
Related
related to SERVER-11107 By default, mongod should not start w... Closed
Assigned Teams:
Server Security
Participants:

 Description   

Shell should fail to start with informative message.

ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongod --dbpath ./data/ --sslOnNormalPorts --sslPEMKeyFile smoke.pem

ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongo --ssl --sslPEMKeyFile ../mongo_expired.pem
MongoDB shell version: 2.4.0-rc0
connecting to: test
>



 Comments   
Comment by Spencer Jackson [ 12/May/17 ]

I can confirm, the behavior described by Eric Milkie and Andreas is still present in 3.5. The shell doesn't notice it's running with expired certificates.

Comment by Andreas Nilsson [ 31/Jul/14 ]

Let's display a warning in the shell if starting with an expired cert.

Comment by Eric Milkie [ 25/Feb/13 ]

If you don't start the server with a CA, no client certificate checking is done by the server. So I'm not sure we want to abort the client because of this.

You can check the certificate data (and its expiration date) with the openssl command; something like this:
openssl x509 -in blah.crt.pem -noout -text

Generated at Thu Feb 08 03:18:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.