<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:16:50 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-8209] reverse logic of --sslForceCertificateValidation</title>
                <link>https://jira.mongodb.org/browse/SERVER-8209</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;Right now if you don&apos;t provide the --sslForceCertificateValidation flag the drivers can connect to the server without presenting a valid client certificate. This is a bad default as it can cause misconfiguration of the server making clients believe that they are validating certificates when in fact they are not unless they provide the --sslForceCertificateValidation flag.&lt;/p&gt;

&lt;p&gt;I propose you get rid of the --sslForceCertificateValidation set validation as default if you provide a certificate store and add a new flag called&lt;/p&gt;

&lt;p&gt;--sslIgnoreCertificateValidation&lt;/p&gt;

&lt;p&gt;This makes the action of lowering the security level a user explicit decision and the default is the strongest possible validation.&lt;/p&gt;


&lt;p&gt;----------------------------------------&lt;br/&gt;
The stuff under here is from when I discovered the behavior&lt;/p&gt;

&lt;p&gt;Running the mongod instance with the following parameters&lt;/p&gt;

&lt;p&gt;mongod --noprealloc --smallfiles --dbpath /Users/ck/coding/projects/node-mongodb-native/data/data-27017 --port 27017 --journal --sslOnNormalPorts --sslPEMKeyFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/server.pem --sslCAFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/ca.pem --sslCRLFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/crl.pem&lt;/p&gt;

&lt;p&gt;When providing key and cert in node.js (as needed in node.js) the server responds with.&lt;/p&gt;

&lt;p&gt;Thu Jan 17 15:48:29.545 &lt;span class=&quot;error&quot;&gt;&amp;#91;initandlisten&amp;#93;&lt;/span&gt; connection accepted from 127.0.0.1:59572 #2 (1 connection now open)&lt;br/&gt;
Thu Jan 17 15:48:29.555 &lt;span class=&quot;error&quot;&gt;&amp;#91;conn2&amp;#93;&lt;/span&gt; end connection 127.0.0.1:59572 (0 connections now open)&lt;/p&gt;

&lt;p&gt;in log which is as expected but if I only provide the cert&lt;/p&gt;

&lt;p&gt;Thu Jan 17 15:49:23.039 &lt;span class=&quot;error&quot;&gt;&amp;#91;initandlisten&amp;#93;&lt;/span&gt; connection accepted from 127.0.0.1:59573 #3 (1 connection now open)&lt;br/&gt;
Thu Jan 17 15:49:23.041 &lt;span class=&quot;error&quot;&gt;&amp;#91;conn3&amp;#93;&lt;/span&gt; no SSL certificate provided by peer&lt;br/&gt;
Thu Jan 17 15:49:23.048 &lt;span class=&quot;error&quot;&gt;&amp;#91;conn3&amp;#93;&lt;/span&gt; end connection 127.0.0.1:59573 (0 connections now open)&lt;/p&gt;

&lt;p&gt;But socket stays open and operations are executed correctly against the db&lt;/p&gt;</description>
                <environment>osx 10.8, </environment>
        <key id="62297">SERVER-8209</key>
            <summary>reverse logic of --sslForceCertificateValidation</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="milkie@mongodb.com">Eric Milkie</assignee>
                                    <reporter username="christkv">Christian Amor Kvalheim</reporter>
                        <labels>
                    </labels>
                <created>Thu, 17 Jan 2013 14:57:21 +0000</created>
                <updated>Mon, 11 Jul 2016 17:59:01 +0000</updated>
                            <resolved>Fri, 18 Jan 2013 19:33:17 +0000</resolved>
                                    <version>2.4.0-rc0</version>
                                    <fixVersion>2.4.0-rc0</fixVersion>
                                    <component>Networking</component>
                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>6</watches>
                                                                                                                <comments>
                            <comment id="245697" author="auto" created="Mon, 21 Jan 2013 16:39:24 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;date&apos;: u&apos;2013-01-21T16:39:09Z&apos;, u&apos;email&apos;: u&apos;milkie@10gen.com&apos;, u&apos;name&apos;: u&apos;Eric Milkie&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-8209&quot; title=&quot;reverse logic of --sslForceCertificateValidation&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-8209&quot;&gt;&lt;del&gt;SERVER-8209&lt;/del&gt;&lt;/a&gt; with weak validation, &apos;no certificate&apos; is not an error&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/7ea3aa490775b2076433123f79ab7235d07328e5&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/7ea3aa490775b2076433123f79ab7235d07328e5&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="243786" author="auto" created="Fri, 18 Jan 2013 19:29:38 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{u&apos;date&apos;: u&apos;2013-01-18T19:23:52Z&apos;, u&apos;email&apos;: u&apos;milkie@10gen.com&apos;, u&apos;name&apos;: u&apos;Eric Milkie&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-8209&quot; title=&quot;reverse logic of --sslForceCertificateValidation&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-8209&quot;&gt;&lt;del&gt;SERVER-8209&lt;/del&gt;&lt;/a&gt; reverse logic of --sslForceCertificateValidation with --sslWeakCertificateValidation&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/1a1f72cc2a298289a0303c0eb316f363c75be057&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/1a1f72cc2a298289a0303c0eb316f363c75be057&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="242911" author="milkie" created="Thu, 17 Jan 2013 20:52:32 +0000"  >&lt;p&gt;Going to implement --sslWeakCertificateValidation instead, with the opposite logic of the &apos;force&apos; one.&lt;/p&gt;</comment>
                            <comment id="242723" author="christkv" created="Thu, 17 Jan 2013 17:54:42 +0000"  >&lt;p&gt;Changed the definition of the ticket after talking to Eric&lt;/p&gt;</comment>
                            <comment id="242560" author="christkv" created="Thu, 17 Jan 2013 15:29:00 +0000"  >&lt;p&gt;yeah the inverse makes more sense as it would be a explicit override to turn off the validation which would make it less likely for a customer to put in production and forgetting the --sslForceCertificateValidation parameter.&lt;/p&gt;</comment>
                            <comment id="242551" author="milkie" created="Thu, 17 Jan 2013 15:18:11 +0000"  >&lt;p&gt;Using a CA without the force flag would be used for transition/upgrade purposes.  Do you think it should be the default when using a CA, and the flag would only need to be used to turn off required client certificates?&lt;/p&gt;</comment>
                            <comment id="242539" author="christkv" created="Thu, 17 Jan 2013 15:09:18 +0000"  >&lt;p&gt;ok that seems a bit counterintuitive, if you provide a ca for the ssl is that not implicitly asking for sslForceCertificateValidation. are there any circumstances where you want validation to work but not close the connection ?&lt;/p&gt;

&lt;p&gt;If you pass an invalide certificate it will close the connection even if --sslForceCertificateValidation is not specified that&apos;s the reason I logged the ticket as it seems inconsistent. &lt;/p&gt;</comment>
                            <comment id="242535" author="milkie" created="Thu, 17 Jan 2013 15:03:23 +0000"  >&lt;p&gt;If you want the connection to close when no certificate is provided, you must use --sslForceCertificateValidation&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="58986">DRIVERS-65</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>8.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 17 Jan 2013 15:03:23 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        11 years, 4 weeks, 2 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>ramon.fernandez@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            11 years, 4 weeks, 2 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Old_Backport</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10000"><![CDATA[No]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>auto</customfieldvalue>
            <customfieldvalue>christkv</customfieldvalue>
            <customfieldvalue>milkie@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrnb9r:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrlnfb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>39848</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;Have not figured out how to reproduce it using the mongo shell as it presents the credentials correctly. I&apos;ve added a link to the node.js test that should break but does not. Ping me if you need help setting it up.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/mongodb/node-mongodb-native/blob/sslValidation/test/auxilliary/ssl/ssl_present_certificate_test.js#L41&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/node-mongodb-native/blob/sslValidation/test/auxilliary/ssl/ssl_present_certificate_test.js#L41&lt;/a&gt;&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrl7yf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>