summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJonathan Reams <jbreams@mongodb.com>2017-12-20 13:17:03 -0500
committerJonathan Reams <jbreams@mongodb.com>2017-12-20 16:05:04 -0500
commit4882a14ef69e456760da9ee4774ad6c5edf2d474 (patch)
treee1cffb6cf0e86ef165f640f9be92d161ea11c6fd
parentbfa801da7c4031fd6711fccc5b4916d310fa4ff0 (diff)
downloadmongo-4882a14ef69e456760da9ee4774ad6c5edf2d474.tar.gz
SERVER-32426 TransportLayer should honor current setParameter values
(cherry picked from commit 3a16c3032d97117cda0ba4e4c75786d0c16807a5)
-rw-r--r--jstests/ssl/set_parameter_ssl.js13
-rw-r--r--src/mongo/transport/session_asio.h4
-rw-r--r--src/mongo/transport/transport_layer_asio.cpp11
-rw-r--r--src/mongo/transport/transport_layer_asio.h4
4 files changed, 26 insertions, 6 deletions
diff --git a/jstests/ssl/set_parameter_ssl.js b/jstests/ssl/set_parameter_ssl.js
index a07db207b79..39b0e0040a9 100644
--- a/jstests/ssl/set_parameter_ssl.js
+++ b/jstests/ssl/set_parameter_ssl.js
@@ -13,6 +13,19 @@ function testSSLTransition(oldMode, newMode, shouldSucceed) {
var res = adminDB.runCommand({"setParameter": 1, "sslMode": newMode});
assert(res["ok"] == shouldSucceed, tojson(res));
+ if (!shouldSucceed) {
+ MongoRunner.stopMongod(conn);
+ return;
+ }
+
+ if (newMode != "requireSSL") {
+ MongoRunner.stopMongod(conn);
+ return;
+ }
+
+ let uri = `mongodb://localhost:${conn.port}/admin`;
+ let exitCode = runMongoProgram("mongo", uri, "--eval", "assert.commandWorked(db.isMaster())");
+ assert.neq(exitCode, 0, "Was able to connect without SSL when SSLMode was requireSSL");
MongoRunner.stopMongod(conn);
}
diff --git a/src/mongo/transport/session_asio.h b/src/mongo/transport/session_asio.h
index 13122b6a2c4..90e15096c46 100644
--- a/src/mongo/transport/session_asio.h
+++ b/src/mongo/transport/session_asio.h
@@ -277,12 +277,12 @@ private:
return _sslSocket->async_handshake(
asio::ssl::stream_base::server, buffer, handshakeCompleteCb);
}
- } else if (_tl->_sslMode == SSLParams::SSLMode_requireSSL) {
+ } else if (_tl->_sslMode() == SSLParams::SSLMode_requireSSL) {
onComplete({ErrorCodes::SSLHandshakeFailed,
"The server is configured to only allow SSL connections"},
false);
} else {
- if (_tl->_sslMode == SSLParams::SSLMode_preferSSL) {
+ if (_tl->_sslMode() == SSLParams::SSLMode_preferSSL) {
LOG(0) << "SSL mode is set to 'preferred' and connection " << id() << " to "
<< remote() << " is not using SSL.";
}
diff --git a/src/mongo/transport/transport_layer_asio.cpp b/src/mongo/transport/transport_layer_asio.cpp
index d471cdeb20a..e8bc533840a 100644
--- a/src/mongo/transport/transport_layer_asio.cpp
+++ b/src/mongo/transport/transport_layer_asio.cpp
@@ -209,9 +209,8 @@ Status TransportLayerASIO::setup() {
#ifdef MONGO_CONFIG_SSL
const auto& sslParams = getSSLGlobalParams();
- _sslMode = static_cast<SSLParams::SSLModes>(sslParams.sslMode.load());
- if (_sslMode != SSLParams::SSLMode_disabled) {
+ if (_sslMode() != SSLParams::SSLMode_disabled) {
_sslContext = stdx::make_unique<asio::ssl::context>(asio::ssl::context::sslv23);
const auto sslManager = getSSLManager();
@@ -250,7 +249,7 @@ Status TransportLayerASIO::start() {
const char* ssl = "";
#ifdef MONGO_CONFIG_SSL
- if (_sslMode != SSLParams::SSLMode_disabled) {
+ if (_sslMode() != SSLParams::SSLMode_disabled) {
ssl = " ssl";
}
#endif
@@ -315,5 +314,11 @@ void TransportLayerASIO::_acceptConnection(GenericAcceptor& acceptor) {
acceptor.async_accept(*_workerIOContext, std::move(acceptCb));
}
+#ifdef MONGO_CONFIG_SSL
+SSLParams::SSLModes TransportLayerASIO::_sslMode() const {
+ return static_cast<SSLParams::SSLModes>(getSSLGlobalParams().sslMode.load());
+}
+#endif
+
} // namespace transport
} // namespace mongo
diff --git a/src/mongo/transport/transport_layer_asio.h b/src/mongo/transport/transport_layer_asio.h
index 984c343b5f3..1fad643cac1 100644
--- a/src/mongo/transport/transport_layer_asio.h
+++ b/src/mongo/transport/transport_layer_asio.h
@@ -123,6 +123,9 @@ private:
using GenericAcceptor = asio::basic_socket_acceptor<asio::generic::stream_protocol>;
void _acceptConnection(GenericAcceptor& acceptor);
+#ifdef MONGO_CONFIG_SSL
+ SSLParams::SSLModes _sslMode() const;
+#endif
stdx::mutex _mutex;
@@ -154,7 +157,6 @@ private:
#ifdef MONGO_CONFIG_SSL
std::unique_ptr<asio::ssl::context> _sslContext;
- SSLParams::SSLModes _sslMode;
#endif
std::vector<std::pair<SockAddr, GenericAcceptor>> _acceptors;