[SERVER-8709] mongo shouldn't be able to connect with revoked cert Created: 25/Feb/13  Updated: 11/Jul/16  Resolved: 28/Feb/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.4.0-rc2

Type: Bug Priority: Major - P3
Reporter: Gregor Macadam Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File crl.pem     File gregorFreeBSD.pem     File revoked_gregor.pem    
Issue Links:
Depends
depends on SERVER-8712 Should not be able to start mongod wi... Closed
Operating System: ALL
Participants:

 Description   

Mongod started with CRL, valid cert

$ ./bin/mongod --dbpath ./data/ --sslOnNormalPorts --sslPEMKeyFile ../sslCA/gregorFreeBSD.pem  --replSet rs1 --smallfiles --sslCRLFile=../sslCA/crl/crl.pem 
Mon Feb 25 15:32:48.373 [initandlisten] MongoDB starting : pid=9246 port=27017 dbpath=./data/ 64-bit host=ip-10-36-133-56
Mon Feb 25 15:32:48.374 [initandlisten] db version v2.4.0-rc0, pdfile version 4.5
Mon Feb 25 15:32:48.374 [initandlisten] git version: 09967e98e5d6280305d85553cdb2dd12e2e1e149 modules: subscription
Mon Feb 25 15:32:48.374 [initandlisten] build info: Linux bs-e-ubuntu1104 2.6.38-13-virtual #57-Ubuntu SMP Mon Mar 5 21:16:08 UTC 2012 x86_64 BOOST_LIB_VERSION=1_49
Mon Feb 25 15:32:48.374 [initandlisten] allocator: tcmalloc
Mon Feb 25 15:32:48.374 [initandlisten] options: { dbpath: "./data/", replSet: "rs1", smallfiles: true, sslCRLFile: "../sslCA/crl/crl.pem", sslOnNormalPorts: true, sslPEMKeyFile: "../sslCA/gregorFreeBSD.pem" }
Mon Feb 25 15:32:48.382 [initandlisten] journal dir=./data/journal
Mon Feb 25 15:32:48.382 [initandlisten] recover : no journal files present, no recovery needed
Mon Feb 25 15:32:48.398 [initandlisten] ssl imported 1 revoked certificate from the revocation list.
Mon Feb 25 15:32:48.399 [initandlisten] waiting for connections on port 27017 ssl
Mon Feb 25 15:32:48.400 [websvr] ssl imported 1 revoked certificate from the revocation list.
Mon Feb 25 15:32:48.400 [websvr] admin web console waiting for connections on port 28017 ssl
Mon Feb 25 15:32:48.404 [rsStart] replSet I am ip-10-36-133-56:27017
Mon Feb 25 15:32:48.404 [rsStart] replSet STARTUP2
Mon Feb 25 15:32:49.406 [rsSync] replSet SECONDARY
Mon Feb 25 15:32:49.406 [rsMgr] replSet info electSelf 0
Mon Feb 25 15:32:50.405 [rsMgr] replSet PRIMARY
Mon Feb 25 15:32:52.664 [initandlisten] connection accepted from 127.0.0.1:54959 #1 (1 connection now open)
Mon Feb 25 15:32:53.650 [conn1] end connection 127.0.0.1:54959 (0 connections now open)
Mon Feb 25 15:32:55.010 [initandlisten] connection accepted from 127.0.0.1:54960 #2 (1 connection now open)

Mongo started with revoked cert

 ./bin/mongo --ssl --sslPEMKeyFile=../sslCA/revoked_gregor.pem 
MongoDB shell version: 2.4.0-rc0
connecting to: test
rs1:PRIMARY> 



 Comments   
Comment by Gregor Macadam [ 01/Mar/13 ]

Confim fixed in version 1f7902206e31305e336c155166a6c12ae0f72ab3

ubuntu@ip-10-36-129-84:~/mongo$ ./mongod --dbpath ./data/ --sslOnNormalPorts --sslPEMKeyFile ../gregorFreeBSD.pem --sslCAFile ../cacert.pem --sslCRLFile ../crl.pem 
Fri Mar  1 17:14:34.690 [initandlisten] MongoDB starting : pid=15958 port=27017 dbpath=./data/ 64-bit host=ip-10-36-129-84
Fri Mar  1 17:14:34.690 [initandlisten] db version v2.4.0-rc2-pre-, pdfile version 4.5
Fri Mar  1 17:14:34.690 [initandlisten] git version: 1f7902206e31305e336c155166a6c12ae0f72ab3
Fri Mar  1 17:14:34.690 [initandlisten] build info: Linux ip-10-36-129-84 3.2.0-36-virtual #57-Ubuntu SMP Tue Jan 8 22:04:49 UTC 2013 x86_64 BOOST_LIB_VERSION=1_49
Fri Mar  1 17:14:34.690 [initandlisten] allocator: tcmalloc
Fri Mar  1 17:14:34.690 [initandlisten] options: { dbpath: "./data/", sslCAFile: "../cacert.pem", sslCRLFile: "../crl.pem", sslOnNormalPorts: true, sslPEMKeyFile: "../gregorFreeBSD.pem" }
Fri Mar  1 17:14:34.716 [initandlisten] journal dir=./data/journal
Fri Mar  1 17:14:34.716 [initandlisten] recover : no journal files present, no recovery needed
Fri Mar  1 17:14:34.886 [initandlisten] ssl imported 1 revoked certificate from the revocation list.
Fri Mar  1 17:14:34.886 [FileAllocator] allocating new datafile ./data/local.ns, filling with zeroes...
Fri Mar  1 17:14:34.886 [FileAllocator] creating directory ./data/_tmp
Fri Mar  1 17:14:34.891 [FileAllocator] done allocating datafile ./data/local.ns, size: 16MB,  took 0.002 secs
Fri Mar  1 17:14:34.891 [FileAllocator] allocating new datafile ./data/local.0, filling with zeroes...
Fri Mar  1 17:14:35.214 [FileAllocator] done allocating datafile ./data/local.0, size: 64MB,  took 0.323 secs
Fri Mar  1 17:14:35.219 [initandlisten] command local.$cmd command: { create: "startup_log", size: 10485760, capped: true } ntoreturn:1 keyUpdates:0  reslen:37 332ms
Fri Mar  1 17:14:35.219 [initandlisten] waiting for connections on port 27017 ssl
Fri Mar  1 17:14:35.220 [websvr] ssl imported 1 revoked certificate from the revocation list.
Fri Mar  1 17:14:35.220 [websvr] admin web console waiting for connections on port 28017 ssl
Fri Mar  1 17:15:38.463 [initandlisten] connection accepted from 127.0.0.1:41893 #1 (1 connection now open)
Fri Mar  1 17:15:38.489 [conn1] ERROR: SSL peer certificate validation failed:certificate revoked
Fri Mar  1 17:15:38.489 [conn1] SocketException handling request, closing client connection: 9001 socket exception [6] 
Fri Mar  1 17:15:48.686 [initandlisten] connection accepted from 127.0.0.1:41894 #2 (1 connection now open)
Fri Mar  1 17:15:54.882 [conn2] end connection 127.0.0.1:41894 (0 connections now open)
Fri Mar  1 17:15:57.957 [initandlisten] connection accepted from 127.0.0.1:41895 #3 (1 connection now open)
Fri Mar  1 17:15:57.964 [conn3] ERROR: SSL peer certificate validation failed:certificate revoked
Fri Mar  1 17:15:57.964 [conn3] SocketException handling request, closing client connection: 9001 socket exception [6] 

ubuntu@ip-10-36-129-84:~/mongo$ ./mongo --ssl --sslPEMKeyFile ../revoked_gregor.pem 
MongoDB shell version: 2.4.0-rc2-pre-
connecting to: test
Fri Mar  1 17:15:57.965 DBClientCursor::init call() failed
Fri Mar  1 17:15:57.966 JavaScript execution failed: Error: DBClientBase::findN: transport error: 127.0.0.1:27017 ns: admin.$cmd query: { whatsmyuri: 1 } at src/mongo/shell/mongo.js:L112
exception: connect failed
ubuntu@ip-10-36-129-84:~/mongo$ 

Comment by auto [ 27/Feb/13 ]

Author:

{u'date': u'2013-02-27T00:30:20Z', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-8709 stricted command line parsing
Branch: master
https://github.com/mongodb/mongo/commit/a61095252979abc4793bfe1c72e2e4bb9790c49f

Comment by Eric Milkie [ 26/Feb/13 ]

It doesn't make sense to use a CRL file and no CA. I will change the server to abort startup in that situation.

Comment by Gregor Macadam [ 26/Feb/13 ]

mongod started without --sslCAFile

Generated at Thu Feb 08 03:18:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.