Uploaded image for project: 'MongoDB Database Tools'
  1. MongoDB Database Tools
  2. TOOLS-3224

MongoDB Tools didn't migrate the SSL options to TLS

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Minor - P4 Minor - P4
    • None
    • Affects Version/s: None
    • Component/s: None
    • None

      Current status:

      Since MongoDB 4.2, the SSL/TLS options were migrated from -ssl to -tls on mongo, mongod, and mongoS :

      ############## 4.2 ##############mongo --version
      MongoDB shell version v4.2.23
      git version: f4e6602d3a4c5b22e9d8bcf0722d0afd0ec01ea2
      OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020
      mongo --help | egrep -i 'ssl|tls'
      TLS Options:
        --tls                                use TLS for all connections
        --tlsCertificateKeyFile arg          PEM certificate/key file for TLS
        --tlsCertificateKeyFilePassword arg  Password for key in PEM file for TLS
        --tlsCAFile arg                      Certificate Authority file for TLS
        --tlsCRLFile arg                     Certificate Revocation List file for TLS
        --tlsAllowInvalidHostnames           Allow connections to servers with 
        --tlsAllowInvalidCertificates        Allow connections to servers with 
        --tlsFIPSMode                        Activate FIPS 140-2 mode at startup
        --tlsDisabledProtocols arg           Comma separated list of TLS protocols to
                                             disable [TLS1_0,TLS1_1,TLS1_2]

       

      ############## 4.0 ##############mongo --version
      MongoDB shell version v4.0.28
      git version: af1a9dc12adcfa83cc19571cb3faba26eeddac92
      OpenSSL version: OpenSSL 1.1.1f  31 Mar 2020
      mongo --help | egrep -i 'ssl|tls'
        --ssl                               use SSL for all connections
        --sslCAFile arg                     Certificate Authority file for SSL
        --sslPEMKeyFile arg                 PEM certificate/key file for SSL
        --sslPEMKeyPassword arg             password for key in PEM file for SSL
        --sslCRLFile arg                    Certificate Revocation List file for SSL
        --sslAllowInvalidHostnames          allow connections to servers with 
        --sslAllowInvalidCertificates       allow connections to servers with invalid
        --sslFIPSMode                       activate FIPS 140-2 mode at startup
        --sslDisabledProtocols arg          Comma separated list of TLS protocols to 
                                            disable [TLS1_0,TLS1_1,TLS1_2]

       

      However, when we check the MongoDB tools,  we can see it still using the legacy options: 

      mongodump --version
      mongodump version: 100.6.1
      git version: 6d9d341edd33b892a2ded7bae529b0e2a96aae01
      Go version: go1.17.10
      mongodump --help | egrep -i 'ssl|tls'
      ssl options:
            --ssl                                                 connect to a mongod or mongos that has ssl enabled
            --sslCAFile=<filename>                                the .pem file containing the root certificate chain from the certificate authority
            --sslPEMKeyFile=<filename>                            the .pem file containing the certificate and key
            --sslPEMKeyPassword=<password>                        the password to decrypt the sslPEMKeyFile, if necessary
            --sslCRLFile=<filename>                               the .pem file containing the certificate revocation list
            --sslFIPSMode                                         use FIPS mode of the installed openssl library
            --tlsInsecure                                         bypass the validation for server's certificate chain and host name

       

      Proposed Fix:

      Update the SSL/TLS options on MongoDB Tools to use the current standard since 4.2.

       

      The current scenario can lead to errors since the options for mongo,mongod, and mongoS are not accepted by MongoDB Tools.

            Assignee:
            Unassigned Unassigned
            Reporter:
            jean_nsilva@hotmail.com Jean da Silva
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: