Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-11107

By default, mongod should not start with an expired or invalid server certificate

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.7.4
    • Affects Version/s: None
    • Component/s: Security
    • Fully Compatible
    • ALL
    • Hide

      I started mongod like this:

      mongod --sslOnNormalPorts --sslPEMKeyFile libs/server_expired.pem --sslCAFile libs/ca_377.pem --smallfiles --nojournal --dbpath data/db
      

      and connect to it with a mongo shell (there are no startup warnings specifically about the expired certificate):

      mongo --ssl --sslPEMKeyFile libs/client_377.pem
      MongoDB shell version: 2.5.3-pre-
      connecting to: test
      Server has startup warnings:
      2013-10-09T20:25:22.712+0000 [initandlisten]
      2013-10-09T20:25:22.712+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
      2013-10-09T20:25:22.712+0000 [initandlisten] **       Not recommended for production.
      2013-10-09T20:25:22.712+0000 [initandlisten]
      2013-10-09T20:25:22.712+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000
      2013-10-09T20:25:22.712+0000 [initandlisten]
      > 
      

      This is the log output from mongod during the process:

      2013-10-09T19:24:29.401+0000 [initandlisten] MongoDB starting : pid=16676 port=27017 dbpath=data/db 64-bit host=llmac
      2013-10-09T19:24:29.401+0000 [initandlisten]
      2013-10-09T19:24:29.401+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB.
      2013-10-09T19:24:29.401+0000 [initandlisten] **       Not recommended for production.
      2013-10-09T19:24:29.401+0000 [initandlisten]
      2013-10-09T19:24:29.401+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000
      2013-10-09T19:24:29.401+0000 [initandlisten]
      2013-10-09T19:24:29.401+0000 [initandlisten] db version v2.5.3-pre-
      2013-10-09T19:24:29.401+0000 [initandlisten] git version: c70a72b151fcfab26d0db5e8ceeb7c04a96ce449
      2013-10-09T19:24:29.401+0000 [initandlisten] OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
      2013-10-09T19:24:29.401+0000 [initandlisten] build info: Darwin llmac 12.5.0 Darwin Kernel Version 12.5.0: Mon Jul 29 16:33:49 PDT 2013; root:xnu-2050.48.11~1/RELEASE_X86_64 x86_64 BOOST_LIB_VERSION=1_49
      2013-10-09T19:24:29.401+0000 [initandlisten] allocator: tcmalloc
      2013-10-09T19:24:29.401+0000 [initandlisten] options: { dbpath: "data/db", nojournal: true, smallfiles: true, ssl: { CAFile: "libs/ca_377.pem", PEMKeyFile: "libs/server_expired.pem", sslOnNormalPorts: true } }
      2013-10-09T19:24:29.407+0000 [initandlisten] waiting for connections on port 27017 ssl
      2013-10-09T19:24:43.759+0000 [initandlisten] connection accepted from 127.0.0.1:49513 #1 (1 connection now open)
      2013-10-09T19:25:29.396+0000 [clientcursormon] mem (MB) res:39 virt:2472
      2013-10-09T19:25:29.396+0000 [clientcursormon]  mapped:32
      2013-10-09T19:25:29.396+0000 [clientcursormon]  connections:1
      

      Commands I used to create the certificates:

      # Create CA
      openssl req -new -nodes -x509 -days 365 -out testCA/cacert.pem -keyout testCA/private/cakey.pem -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QA/CN=TEST-377-CA" -config openssl.cnf
      cp testCA/cacert.pem libs/ca_377.pem
      
      # Client certificate
      openssl req -newkey rsa:1024 -nodes -sha1 -keyout testClient.key -keyform PEM -out testClient.req -outform PEM -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QAClient/CN=TEST-377-CLIENT"  -config openssl.cnf
      openssl ca -in testClient.req -out testClient.crt -config openssl.cnf
      cat testClient.crt testClient.key > libs/client_377.pem
      
      # Server expired certificate
      openssl req -newkey rsa:1024 -nodes -sha1 -keyout expiredServer.key -keyform PEM -out expiredServer.req -outform PEM -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QAServerExpired/CN=TEST-377-SERVER" -config openssl.cnf
      openssl ca -in expiredServer.req -out expiredServer.crt -config openssl.cnf -startdate 120815080000Z -enddate 120815080100Z
      cat expiredServer.crt expiredServer.key > libs/server_expired.pem
      
      Show
      I started mongod like this: mongod --sslOnNormalPorts --sslPEMKeyFile libs/server_expired.pem --sslCAFile libs/ca_377.pem --smallfiles --nojournal --dbpath data/db and connect to it with a mongo shell (there are no startup warnings specifically about the expired certificate): mongo --ssl --sslPEMKeyFile libs/client_377.pem MongoDB shell version: 2.5.3-pre- connecting to: test Server has startup warnings: 2013-10-09T20:25:22.712+0000 [initandlisten] 2013-10-09T20:25:22.712+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB. 2013-10-09T20:25:22.712+0000 [initandlisten] ** Not recommended for production. 2013-10-09T20:25:22.712+0000 [initandlisten] 2013-10-09T20:25:22.712+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000 2013-10-09T20:25:22.712+0000 [initandlisten] > This is the log output from mongod during the process: 2013-10-09T19:24:29.401+0000 [initandlisten] MongoDB starting : pid=16676 port=27017 dbpath=data/db 64-bit host=llmac 2013-10-09T19:24:29.401+0000 [initandlisten] 2013-10-09T19:24:29.401+0000 [initandlisten] ** NOTE: This is a development version (2.5.3-pre-) of MongoDB. 2013-10-09T19:24:29.401+0000 [initandlisten] ** Not recommended for production. 2013-10-09T19:24:29.401+0000 [initandlisten] 2013-10-09T19:24:29.401+0000 [initandlisten] ** WARNING: soft rlimits too low. Number of files is 256, should be at least 1000 2013-10-09T19:24:29.401+0000 [initandlisten] 2013-10-09T19:24:29.401+0000 [initandlisten] db version v2.5.3-pre- 2013-10-09T19:24:29.401+0000 [initandlisten] git version: c70a72b151fcfab26d0db5e8ceeb7c04a96ce449 2013-10-09T19:24:29.401+0000 [initandlisten] OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013 2013-10-09T19:24:29.401+0000 [initandlisten] build info: Darwin llmac 12.5.0 Darwin Kernel Version 12.5.0: Mon Jul 29 16:33:49 PDT 2013; root:xnu-2050.48.11~1/RELEASE_X86_64 x86_64 BOOST_LIB_VERSION=1_49 2013-10-09T19:24:29.401+0000 [initandlisten] allocator: tcmalloc 2013-10-09T19:24:29.401+0000 [initandlisten] options: { dbpath: "data/db", nojournal: true, smallfiles: true, ssl: { CAFile: "libs/ca_377.pem", PEMKeyFile: "libs/server_expired.pem", sslOnNormalPorts: true } } 2013-10-09T19:24:29.407+0000 [initandlisten] waiting for connections on port 27017 ssl 2013-10-09T19:24:43.759+0000 [initandlisten] connection accepted from 127.0.0.1:49513 #1 (1 connection now open) 2013-10-09T19:25:29.396+0000 [clientcursormon] mem (MB) res:39 virt:2472 2013-10-09T19:25:29.396+0000 [clientcursormon] mapped:32 2013-10-09T19:25:29.396+0000 [clientcursormon] connections:1 Commands I used to create the certificates: # Create CA openssl req -new -nodes -x509 -days 365 -out testCA/cacert.pem -keyout testCA/private/cakey.pem -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QA/CN=TEST-377-CA" -config openssl.cnf cp testCA/cacert.pem libs/ca_377.pem # Client certificate openssl req -newkey rsa:1024 -nodes -sha1 -keyout testClient.key -keyform PEM -out testClient.req -outform PEM -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QAClient/CN=TEST-377-CLIENT" -config openssl.cnf openssl ca -in testClient.req -out testClient.crt -config openssl.cnf cat testClient.crt testClient.key > libs/client_377.pem # Server expired certificate openssl req -newkey rsa:1024 -nodes -sha1 -keyout expiredServer.key -keyform PEM -out expiredServer.req -outform PEM -subj "/C=US/ST=California/L=Palo Alto/O=MongoDB/OU=QAServerExpired/CN=TEST-377-SERVER" -config openssl.cnf openssl ca -in expiredServer.req -out expiredServer.crt -config openssl.cnf -startdate 120815080000Z -enddate 120815080100Z cat expiredServer.crt expiredServer.key > libs/server_expired.pem

      MongoDB servers should refuse to start when launched with an expired SSL certificate. Further, there should be a command line option to override this behavior, which should simply put a warning in the startup log.

        1. ca_377.pem
          1.0 kB
          Luke Lovett
        2. client_377.pem
          4 kB
          Luke Lovett
        3. openssl.cnf
          10 kB
          Luke Lovett
        4. server_expired.pem
          4 kB
          Luke Lovett

            Assignee:
            melissa.osullivan Melissa O'Sullivan
            Reporter:
            luke.lovett Luke Lovett
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: