[SERVER-8712] Should not be able to start mongod with CA-signed cert without specifying --sslCAFile option Created: 25/Feb/13  Updated: 08/Mar/13  Resolved: 26/Feb/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Gregor Macadam Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File gregorFreeBSD.pem    
Issue Links:
Depends
is depended on by SERVER-8709 mongo shouldn't be able to connect wi... Closed
Operating System: ALL
Participants:

 Description   

ubuntu@ip-10-36-133-56:~/mongodb-linux-x86_64-subscription-ubuntu1104-2.4.0-rc0$ ./bin/mongod --dbpath ./data/ --sslOnNormalPorts --sslPEMKeyFile ../sslCA/gregorFreeBSD.pem  --replSet rs1 --smallfiles 
Mon Feb 25 16:10:00.135 [initandlisten] MongoDB starting : pid=9598 port=27017 dbpath=./data/ 64-bit host=ip-10-36-133-56
Mon Feb 25 16:10:00.136 [initandlisten] db version v2.4.0-rc0, pdfile version 4.5
Mon Feb 25 16:10:00.136 [initandlisten] git version: 09967e98e5d6280305d85553cdb2dd12e2e1e149 modules: subscription
Mon Feb 25 16:10:00.136 [initandlisten] build info: Linux bs-e-ubuntu1104 2.6.38-13-virtual #57-Ubuntu SMP Mon Mar 5 21:16:08 UTC 2012 x86_64 BOOST_LIB_VERSION=1_49
Mon Feb 25 16:10:00.136 [initandlisten] allocator: tcmalloc
Mon Feb 25 16:10:00.136 [initandlisten] options: { dbpath: "./data/", replSet: "rs1", smallfiles: true, sslOnNormalPorts: true, sslPEMKeyFile: "../sslCA/gregorFreeBSD.pem" }
Mon Feb 25 16:10:00.144 [initandlisten] journal dir=./data/journal
Mon Feb 25 16:10:00.144 [initandlisten] recover : no journal files present, no recovery needed
Mon Feb 25 16:10:00.161 [initandlisten] waiting for connections on port 27017 ssl
Mon Feb 25 16:10:00.162 [websvr] admin web console waiting for connections on port 28017 ssl
Mon Feb 25 16:10:00.165 [rsStart] replSet I am ip-10-36-133-56:27017
Mon Feb 25 16:10:00.165 [rsStart] replSet STARTUP2
Mon Feb 25 16:10:01.167 [rsSync] replSet SECONDARY
Mon Feb 25 16:10:01.167 [rsMgr] replSet info electSelf 0
Mon Feb 25 16:10:02.166 [rsMgr] replSet PRIMARY



 Comments   
Comment by Eric Milkie [ 26/Feb/13 ]

If you don't supply "--sslCAFile", it means you don't want any certificate validation. In that case, we don't care who signed the certificate, as long as the private key in the PEM file matches the certificate.

If we changed the behavior to only accept self-signed certificates and no others, this might break users when they upgraded, even though they changed nothing except the mongod version.

Generated at Thu Feb 08 03:18:11 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.