-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: 2.4.0-rc0
-
Component/s: Networking, Security
-
None
-
Environment:osx 10.8,
-
ALL
-
Right now if you don't provide the --sslForceCertificateValidation flag the drivers can connect to the server without presenting a valid client certificate. This is a bad default as it can cause misconfiguration of the server making clients believe that they are validating certificates when in fact they are not unless they provide the --sslForceCertificateValidation flag.
I propose you get rid of the --sslForceCertificateValidation set validation as default if you provide a certificate store and add a new flag called
--sslIgnoreCertificateValidation
This makes the action of lowering the security level a user explicit decision and the default is the strongest possible validation.
----------------------------------------
The stuff under here is from when I discovered the behavior
Running the mongod instance with the following parameters
mongod --noprealloc --smallfiles --dbpath /Users/ck/coding/projects/node-mongodb-native/data/data-27017 --port 27017 --journal --sslOnNormalPorts --sslPEMKeyFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/server.pem --sslCAFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/ca.pem --sslCRLFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/crl.pem
When providing key and cert in node.js (as needed in node.js) the server responds with.
Thu Jan 17 15:48:29.545 [initandlisten] connection accepted from 127.0.0.1:59572 #2 (1 connection now open)
Thu Jan 17 15:48:29.555 [conn2] end connection 127.0.0.1:59572 (0 connections now open)
in log which is as expected but if I only provide the cert
Thu Jan 17 15:49:23.039 [initandlisten] connection accepted from 127.0.0.1:59573 #3 (1 connection now open)
Thu Jan 17 15:49:23.041 [conn3] no SSL certificate provided by peer
Thu Jan 17 15:49:23.048 [conn3] end connection 127.0.0.1:59573 (0 connections now open)
But socket stays open and operations are executed correctly against the db
- is related to
-
DRIVERS-65 SSL certificate validation testing
- Closed