SERVER-27264 Allow disabling no client certificate warning

(cherry picked from commit 14eb0afce97b372d0dc4d2a4c41a00318a36b0e2)

3 files changed, 68 insertions, 2 deletions

diff --git a/jstests/ssl/ssl_client_certificate_warning_suppression.js b/jstests/ssl/ssl_client_certificate_warning_suppression.js
new file mode 100644
index 00000000000..4c6fa63128e
--- /dev/null
+++ b/jstests/ssl/ssl_client_certificate_warning_suppression.js
@@ -0,0 +1,53 @@
+/**
+ * Tests the startup-only setParameter value suppressNoTLSPeerCertificateWarning which suppresses
+ * the log message "no SSL certificate provided by peer" when a client certificate is not provided.
+ * This only works if weak validation is enabled.
+ *
+ * This test confirms that the log message is output when the setParameter is set to true,
+ * and is not output when the setParameter is set to false.
+ */
+
+load('jstests/ssl/libs/ssl_helpers.js');
+
+(function() {
+    'use strict';
+
+    function test(suppress) {
+        const opts = {
+            sslMode: 'requireSSL',
+            sslPEMKeyFile: "jstests/libs/server.pem",
+            sslCAFile: "jstests/libs/ca.pem",
+            waitForConnect: false,
+            sslAllowConnectionsWithoutCertificates: "",
+            setParameter: {suppressNoTLSPeerCertificateWarning: suppress}
+        };
+        clearRawMongoProgramOutput();
+        const mongod = MongoRunner.runMongod(opts);
+
+        assert.soon(function() {
+            return runMongoProgram('mongo',
+                                   '--ssl',
+                                   '--sslAllowInvalidHostnames',
+                                   '--sslCAFile',
+                                   CA_CERT,
+                                   '--port',
+                                   mongod.port,
+                                   '--eval',
+                                   'quit()') === 0;
+        }, "mongo did not initialize properly");
+
+        const log = rawMongoProgramOutput();
+        assert.eq(suppress, log.search('no SSL certificate provided by peer') === -1);
+
+        try {
+            MongoRunner.stopMongod(mongod);
+        } catch (e) {
+            // Depending on timing, exitCode might be 0, 1, or -9.
+            // All that matters is that it dies, resmoke will tell us if that failed.
+            // So just let it go, the exit code never bothered us anyway.
+        }
+    }
+
+    test(true);
+    test(false);
+})();
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 90e9170ab6e..c4dfd5fe8ac 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -115,6 +115,11 @@ ExportedServerParameter<std::string, ServerParameterType::kStartupOnly>
     setDiffieHellmanParameterPEMFile(ServerParameterSet::getGlobal(),
                                      "opensslDiffieHellmanParameters",
                                      &sslGlobalParams.sslPEMTempDHParam);
+
+ExportedServerParameter<bool, ServerParameterType::kStartupOnly>
+    suppressNoTLSPeerCertificateWarning(ServerParameterSet::getGlobal(),
+                                        "suppressNoTLSPeerCertificateWarning",
+                                        &sslGlobalParams.suppressNoTLSPeerCertificateWarning);
 }  // namespace
 
 SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) {
@@ -414,6 +419,7 @@ private:
     bool _weakValidation;
     bool _allowInvalidCertificates;
     bool _allowInvalidHostnames;
+    bool _suppressNoCertificateWarning;
     SSLConfiguration _sslConfiguration;
 
     /**
@@ -797,7 +803,8 @@ SSLManager::SSLManager(const SSLParams& params, bool isServer)
       _clientContext(nullptr, free_ssl_context),
       _weakValidation(params.sslWeakCertificateValidation),
       _allowInvalidCertificates(params.sslAllowInvalidCertificates),
-      _allowInvalidHostnames(params.sslAllowInvalidHostnames) {
+      _allowInvalidHostnames(params.sslAllowInvalidHostnames),
+      _suppressNoCertificateWarning(params.suppressNoTLSPeerCertificateWarning) {
     if (!_initSynchronousSSLContext(&_clientContext, params, ConnectionDirection::kOutgoing)) {
         uasserted(16768, "ssl initialization problem");
     }
@@ -1474,7 +1481,11 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManager::parseAndValidatePeerCertifi
 
     if (NULL == peerCert) {  // no certificate presented by peer
         if (_weakValidation) {
-            warning() << "no SSL certificate provided by peer";
+            // do not give warning if certificate warnings are suppressed
+            if (!_suppressNoCertificateWarning) {
+                warning() << "no SSL certificate provided by peer";
+            }
+            return {boost::none};
         } else {
             auto msg = "no SSL certificate provided by peer; connection rejected";
             error() << msg;
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index 13b9686dfe8..5b65e802a97 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -59,6 +59,8 @@ struct SSLParams {
     bool sslAllowInvalidHostnames = false;        // --sslAllowInvalidHostnames
     bool disableNonSSLConnectionLogging =
         false;  // --setParameter disableNonSSLConnectionLogging=true
+    bool suppressNoTLSPeerCertificateWarning =
+        false;  // --setParameter suppressNoTLSPeerCertificateWarning
 
     SSLParams() {
         sslMode.store(SSLMode_disabled);