-
Type: Bug
-
Resolution: Duplicate
-
Priority: Minor - P4
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
Current status:
Since MongoDB 4.2, the SSL/TLS options were migrated from -ssl to -tls on mongo, mongod, and mongoS :
############## 4.2 ##############mongo --version MongoDB shell version v4.2.23 git version: f4e6602d3a4c5b22e9d8bcf0722d0afd0ec01ea2 OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
mongo --help | egrep -i 'ssl|tls' TLS Options: --tls use TLS for all connections --tlsCertificateKeyFile arg PEM certificate/key file for TLS --tlsCertificateKeyFilePassword arg Password for key in PEM file for TLS --tlsCAFile arg Certificate Authority file for TLS --tlsCRLFile arg Certificate Revocation List file for TLS --tlsAllowInvalidHostnames Allow connections to servers with --tlsAllowInvalidCertificates Allow connections to servers with --tlsFIPSMode Activate FIPS 140-2 mode at startup --tlsDisabledProtocols arg Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]
############## 4.0 ##############mongo --version MongoDB shell version v4.0.28 git version: af1a9dc12adcfa83cc19571cb3faba26eeddac92 OpenSSL version: OpenSSL 1.1.1f 31 Mar 2020
mongo --help | egrep -i 'ssl|tls' --ssl use SSL for all connections --sslCAFile arg Certificate Authority file for SSL --sslPEMKeyFile arg PEM certificate/key file for SSL --sslPEMKeyPassword arg password for key in PEM file for SSL --sslCRLFile arg Certificate Revocation List file for SSL --sslAllowInvalidHostnames allow connections to servers with --sslAllowInvalidCertificates allow connections to servers with invalid --sslFIPSMode activate FIPS 140-2 mode at startup --sslDisabledProtocols arg Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]
However, when we check the MongoDB tools, we can see it still using the legacy options:
mongodump --version mongodump version: 100.6.1 git version: 6d9d341edd33b892a2ded7bae529b0e2a96aae01 Go version: go1.17.10
mongodump --help | egrep -i 'ssl|tls' ssl options: --ssl connect to a mongod or mongos that has ssl enabled --sslCAFile=<filename> the .pem file containing the root certificate chain from the certificate authority --sslPEMKeyFile=<filename> the .pem file containing the certificate and key --sslPEMKeyPassword=<password> the password to decrypt the sslPEMKeyFile, if necessary --sslCRLFile=<filename> the .pem file containing the certificate revocation list --sslFIPSMode use FIPS mode of the installed openssl library --tlsInsecure bypass the validation for server's certificate chain and host name
Proposed Fix:
Update the SSL/TLS options on MongoDB Tools to use the current standard since 4.2.
The current scenario can lead to errors since the options for mongo,mongod, and mongoS are not accepted by MongoDB Tools.
- duplicates
-
TOOLS-2375 Add TLS command line options and deprecate SSL command line options.
- Accepted