diff options
| author | Jonathan Reams <jbreams@mongodb.com> | 2017-12-20 13:17:03 -0500 |
|---|---|---|
| committer | Jonathan Reams <jbreams@mongodb.com> | 2017-12-20 16:05:04 -0500 |
| commit | 4882a14ef69e456760da9ee4774ad6c5edf2d474 (patch) | |
| tree | e1cffb6cf0e86ef165f640f9be92d161ea11c6fd | |
| parent | bfa801da7c4031fd6711fccc5b4916d310fa4ff0 (diff) | |
| download | mongo-4882a14ef69e456760da9ee4774ad6c5edf2d474.tar.gz | |
SERVER-32426 TransportLayer should honor current setParameter values
(cherry picked from commit 3a16c3032d97117cda0ba4e4c75786d0c16807a5)
| -rw-r--r-- | jstests/ssl/set_parameter_ssl.js | 13 | ||||
| -rw-r--r-- | src/mongo/transport/session_asio.h | 4 | ||||
| -rw-r--r-- | src/mongo/transport/transport_layer_asio.cpp | 11 | ||||
| -rw-r--r-- | src/mongo/transport/transport_layer_asio.h | 4 |
4 files changed, 26 insertions, 6 deletions
diff --git a/jstests/ssl/set_parameter_ssl.js b/jstests/ssl/set_parameter_ssl.js index a07db207b79..39b0e0040a9 100644 --- a/jstests/ssl/set_parameter_ssl.js +++ b/jstests/ssl/set_parameter_ssl.js @@ -13,6 +13,19 @@ function testSSLTransition(oldMode, newMode, shouldSucceed) { var res = adminDB.runCommand({"setParameter": 1, "sslMode": newMode}); assert(res["ok"] == shouldSucceed, tojson(res)); + if (!shouldSucceed) { + MongoRunner.stopMongod(conn); + return; + } + + if (newMode != "requireSSL") { + MongoRunner.stopMongod(conn); + return; + } + + let uri = `mongodb://localhost:${conn.port}/admin`; + let exitCode = runMongoProgram("mongo", uri, "--eval", "assert.commandWorked(db.isMaster())"); + assert.neq(exitCode, 0, "Was able to connect without SSL when SSLMode was requireSSL"); MongoRunner.stopMongod(conn); } diff --git a/src/mongo/transport/session_asio.h b/src/mongo/transport/session_asio.h index 13122b6a2c4..90e15096c46 100644 --- a/src/mongo/transport/session_asio.h +++ b/src/mongo/transport/session_asio.h @@ -277,12 +277,12 @@ private: return _sslSocket->async_handshake( asio::ssl::stream_base::server, buffer, handshakeCompleteCb); } - } else if (_tl->_sslMode == SSLParams::SSLMode_requireSSL) { + } else if (_tl->_sslMode() == SSLParams::SSLMode_requireSSL) { onComplete({ErrorCodes::SSLHandshakeFailed, "The server is configured to only allow SSL connections"}, false); } else { - if (_tl->_sslMode == SSLParams::SSLMode_preferSSL) { + if (_tl->_sslMode() == SSLParams::SSLMode_preferSSL) { LOG(0) << "SSL mode is set to 'preferred' and connection " << id() << " to " << remote() << " is not using SSL."; } diff --git a/src/mongo/transport/transport_layer_asio.cpp b/src/mongo/transport/transport_layer_asio.cpp index d471cdeb20a..e8bc533840a 100644 --- a/src/mongo/transport/transport_layer_asio.cpp +++ b/src/mongo/transport/transport_layer_asio.cpp @@ -209,9 +209,8 @@ Status TransportLayerASIO::setup() { #ifdef MONGO_CONFIG_SSL const auto& sslParams = getSSLGlobalParams(); - _sslMode = static_cast<SSLParams::SSLModes>(sslParams.sslMode.load()); - if (_sslMode != SSLParams::SSLMode_disabled) { + if (_sslMode() != SSLParams::SSLMode_disabled) { _sslContext = stdx::make_unique<asio::ssl::context>(asio::ssl::context::sslv23); const auto sslManager = getSSLManager(); @@ -250,7 +249,7 @@ Status TransportLayerASIO::start() { const char* ssl = ""; #ifdef MONGO_CONFIG_SSL - if (_sslMode != SSLParams::SSLMode_disabled) { + if (_sslMode() != SSLParams::SSLMode_disabled) { ssl = " ssl"; } #endif @@ -315,5 +314,11 @@ void TransportLayerASIO::_acceptConnection(GenericAcceptor& acceptor) { acceptor.async_accept(*_workerIOContext, std::move(acceptCb)); } +#ifdef MONGO_CONFIG_SSL +SSLParams::SSLModes TransportLayerASIO::_sslMode() const { + return static_cast<SSLParams::SSLModes>(getSSLGlobalParams().sslMode.load()); +} +#endif + } // namespace transport } // namespace mongo diff --git a/src/mongo/transport/transport_layer_asio.h b/src/mongo/transport/transport_layer_asio.h index 984c343b5f3..1fad643cac1 100644 --- a/src/mongo/transport/transport_layer_asio.h +++ b/src/mongo/transport/transport_layer_asio.h @@ -123,6 +123,9 @@ private: using GenericAcceptor = asio::basic_socket_acceptor<asio::generic::stream_protocol>; void _acceptConnection(GenericAcceptor& acceptor); +#ifdef MONGO_CONFIG_SSL + SSLParams::SSLModes _sslMode() const; +#endif stdx::mutex _mutex; @@ -154,7 +157,6 @@ private: #ifdef MONGO_CONFIG_SSL std::unique_ptr<asio::ssl::context> _sslContext; - SSLParams::SSLModes _sslMode; #endif std::vector<std::pair<SockAddr, GenericAcceptor>> _acceptors; |