diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-01-08 18:38:43 -0500 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-01-12 11:38:34 -0500 |
commit | d34d2ba2b34cc18f8c853ecaa5a9cc59f587282b (patch) | |
tree | 2cf3ba71240077ae26e9c169d07ea0eb656bda8f | |
parent | 74dd4586e68b77838cf0c93a6697e0353a3c111a (diff) | |
download | mongo-d34d2ba2b34cc18f8c853ecaa5a9cc59f587282b.tar.gz |
SERVER-32551: Ensure Transport Layer doesn't use clusterFile as server cert
-rw-r--r-- | jstests/ssl/ssl_cluster_file.js | 35 | ||||
-rw-r--r-- | src/mongo/transport/transport_layer_asio.cpp | 13 |
2 files changed, 42 insertions, 6 deletions
diff --git a/jstests/ssl/ssl_cluster_file.js b/jstests/ssl/ssl_cluster_file.js new file mode 100644 index 00000000000..aa77b875530 --- /dev/null +++ b/jstests/ssl/ssl_cluster_file.js @@ -0,0 +1,35 @@ +(function() { + "use strict"; + + var CA_CERT = "jstests/libs/ca.pem"; + var SERVER_CERT = "jstests/libs/server.pem"; + var CLIENT_CERT = "jstests/libs/client.pem"; + var BAD_SAN_CERT = "jstests/libs/badSAN.pem"; + + var mongod = MongoRunner.runMongod({ + sslMode: "requireSSL", + sslPEMKeyFile: SERVER_CERT, + sslCAFile: CA_CERT, + sslClusterFile: BAD_SAN_CERT + }); + + var mongo = runMongoProgram("mongo", + "--host", + "localhost", + "--port", + mongod.port, + "--ssl", + "--sslCAFile", + CA_CERT, + "--sslPEMKeyFile", + CLIENT_CERT, + "--eval", + ";"); + + // runMongoProgram returns 0 on success + assert.eq( + 0, + mongo, + "Connection attempt failed when an irrelevant sslClusterFile was provided to the server!"); + +}()); diff --git a/src/mongo/transport/transport_layer_asio.cpp b/src/mongo/transport/transport_layer_asio.cpp index 48fad3550a0..4d038d0f6bb 100644 --- a/src/mongo/transport/transport_layer_asio.cpp +++ b/src/mongo/transport/transport_layer_asio.cpp @@ -229,12 +229,13 @@ Status TransportLayerASIO::setup() { if (_sslMode() != SSLParams::SSLMode_disabled) { _sslContext = stdx::make_unique<asio::ssl::context>(asio::ssl::context::sslv23); - const auto sslManager = getSSLManager(); - sslManager - ->initSSLContext(_sslContext->native_handle(), - sslParams, - SSLManagerInterface::ConnectionDirection::kOutgoing) - .transitional_ignore(); + Status status = + getSSLManager()->initSSLContext(_sslContext->native_handle(), + sslParams, + SSLManagerInterface::ConnectionDirection::kIncoming); + if (!status.isOK()) { + return status; + } } #endif |