[SERVER-8700] Start mongo shell with expired cert - should fail. Created: 25/Feb/13 Updated: 20/Oct/23 Resolved: 20/Oct/23 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Shell |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Gregor Macadam | Assignee: | Backlog - Security Team |
| Resolution: | Won't Do | Votes: | 0 |
| Labels: | rp-c | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||||||
| Issue Links: |
|
||||||||||||
| Assigned Teams: |
Server Security
|
||||||||||||
| Participants: | |||||||||||||
| Description |
|
Shell should fail to start with informative message. ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongod --dbpath ./data/ --sslOnNormalPorts --sslPEMKeyFile smoke.pem ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongo --ssl --sslPEMKeyFile ../mongo_expired.pem |
| Comments |
| Comment by Spencer Jackson [ 12/May/17 ] |
|
I can confirm, the behavior described by Eric Milkie and Andreas is still present in 3.5. The shell doesn't notice it's running with expired certificates. |
| Comment by Andreas Nilsson [ 31/Jul/14 ] |
|
Let's display a warning in the shell if starting with an expired cert. |
| Comment by Eric Milkie [ 25/Feb/13 ] |
|
If you don't start the server with a CA, no client certificate checking is done by the server. So I'm not sure we want to abort the client because of this. You can check the certificate data (and its expiration date) with the openssl command; something like this: |