Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-85910

Setting allowConnectionsWithoutCertificates is ignored

    • Type: Icon: Bug Bug
    • Resolution: Works as Designed
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 7.0.5
    • Component/s: None
    • ALL
    • Security 2024-02-05, Security 2024-02-19

      I have setup a stand-alone mongod like this:

       

      net:
        port: 27017
        bindIpAll: true
        tls:
          mode: requireTLS
          certificateKeyFile: mongo.server.pem
          CAFile: mongo-ca.cer
          allowConnectionsWithoutCertificates: false
          allowInvalidCertificates: false
      
      security:
        authorization: enabled
      

       

      Documentation says:

      • For clients that don't provide certificates, mongod or mongos encrypts the TLS/SSL connection, assuming the connection is successfully made.
      • For clients that present a certificate, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.

       

      However, the behavior is different.

      If I don't provide a client certificate, then the connection is rejected (instead of encrypts the TLS/SSL connection, assuming the connection is successfully made):

      mongosh "mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer"
      Current Mongosh Log ID: 65b8afb4924b39f4ec3b77f5
      Connecting to:          mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
      MongoServerSelectionError: connection <monitor> to 127.0.0.1:27017 closed 

      If I provide an invalid client certificate, then the connection is successful (instead of reject clients):

      openssl verify -CAfile mongo-ca.cer mongo.client-bad.pem
      CN = admin
      error 20 at 0 depth lookup: unable to get local issuer certificate
      error mongo.client-bad.pem: verification failed
      
      
      mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer"
      Current Mongosh Log ID: 65b8b0987645903dc9cc5ecd
      Connecting to:          mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
      Using MongoDB:          7.0.5
      Using Mongosh:          2.1.1
      
      test> db.getMongo()
      mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
      
      

      If the client provides a valid certificate, then of course everything is working fine and as expected:

      openssl verify -CAfile mongo-ca.cer mongo.client.pem
      mongo.client.pem: OK
      
      openssl verify -CAfile mongo-ca.cer mongo.server.pem
      mongo.server.pem: OK
      
      
      mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer"
      Current Mongosh Log ID: 65b8b213027a4c163908974c
      Connecting to:          mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
      Using MongoDB:          7.0.5
      Using Mongosh:          2.1.1
      
      test> db.getMongo()
      mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
      

      Tested in Windows 10 environment.

       

       

       

       

        1. mongo.client.pem
          5 kB
        2. mongo.client-bad.pem
          5 kB
        3. mongo.server.pem
          5 kB
        4. mongo-ca.cer
          4 kB

            Assignee:
            brad.moore@mongodb.com Brad Moore
            Reporter:
            wernfried.domscheit@sunrise.net Wernfried Domscheit
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: