Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Works as Designed
Priority: Major - P3
Fix Version/s: None
Affects Version/s: 7.0.5
Component/s: None
Labels:
- TLS/SSL
- security

Operating System:
ALL
Sprint:
Security 2024-02-05, Security 2024-02-19

I have setup a stand-alone mongod like this:

net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: mongo.server.pem
    CAFile: mongo-ca.cer
    allowConnectionsWithoutCertificates: false
    allowInvalidCertificates: false

security:
  authorization: enabled

Documentation says:

For clients that don't provide certificates, mongod or mongos encrypts the TLS/SSL connection, assuming the connection is successfully made.

For clients that present a certificate, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.

However, the behavior is different.

If I don't provide a client certificate, then the connection is rejected (instead of encrypts the TLS/SSL connection, assuming the connection is successfully made):

mongosh "mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer"
Current Mongosh Log ID: 65b8afb4924b39f4ec3b77f5
Connecting to:          mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
MongoServerSelectionError: connection <monitor> to 127.0.0.1:27017 closed

If I provide an invalid client certificate, then the connection is successful (instead of reject clients):

openssl verify -CAfile mongo-ca.cer mongo.client-bad.pem
CN = admin
error 20 at 0 depth lookup: unable to get local issuer certificate
error mongo.client-bad.pem: verification failed


mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer"
Current Mongosh Log ID: 65b8b0987645903dc9cc5ecd
Connecting to:          mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
Using MongoDB:          7.0.5
Using Mongosh:          2.1.1

test> db.getMongo()
mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1

If the client provides a valid certificate, then of course everything is working fine and as expected:

openssl verify -CAfile mongo-ca.cer mongo.client.pem
mongo.client.pem: OK

openssl verify -CAfile mongo-ca.cer mongo.server.pem
mongo.server.pem: OK


mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer"
Current Mongosh Log ID: 65b8b213027a4c163908974c
Connecting to:          mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
Using MongoDB:          7.0.5
Using Mongosh:          2.1.1

test> db.getMongo()
mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1

Tested in Windows 10 environment.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

mongo-ca.cer
Feb 04 2024 09:56:20 AM UTC
4 kB
Wernfried Domscheit
mongo.client-bad.pem
Feb 04 2024 09:56:20 AM UTC
5 kB
Wernfried Domscheit
mongo.client.pem
Feb 04 2024 09:56:20 AM UTC
5 kB
Wernfried Domscheit
mongo.server.pem
Feb 04 2024 09:56:20 AM UTC
5 kB
Wernfried Domscheit

Assignee:: Brad Moore

Reporter:: Wernfried Domscheit

Participants:: Brad Moore, Wernfried Domscheit

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: Jan 30 2024 08:35:19 AM UTC

Updated:: Feb 20 2024 01:58:13 PM UTC

Resolved:: Feb 20 2024 01:58:12 PM UTC

Details

Description

Attachments

Attachments

Activity

People

Dates