SERVER-39671: Added warnings for flags sslAllowInvalidCertificates and sslAllowInvalidHostnames

3 files changed, 72 insertions, 36 deletions

diff --git a/jstests/ssl/x509_startup_warning.js b/jstests/ssl/x509_startup_warning.js
index 888e29255e3..a950ceefa39 100644
--- a/jstests/ssl/x509_startup_warning.js
+++ b/jstests/ssl/x509_startup_warning.js
@@ -3,31 +3,61 @@
 (function() {
     'use strict';
 
-    function runTest(opts, expectWarning) {
+    function runTest(checkMongos, opts, expectWarningCertifcates, expectWarningHostnames) {
         clearRawMongoProgramOutput();
-        const mongod = MongoRunner.runMongod(Object.assign({
-            auth: '',
-            sslMode: 'requireSSL',
-            sslPEMKeyFile: 'jstests/libs/server.pem',
-            sslCAFile: 'jstests/libs/ca.pem',
-        },
-                                                           opts));
-        assert.eq(expectWarning,
-                  rawMongoProgramOutput().includes(
-                      'WARNING: While invalid X509 certificates may be used'));
-        MongoRunner.stopMongod(mongod);
+        let mongo;
+
+        if (checkMongos) {
+            mongo = MongoRunner.runMongos(Object.assign({
+                configdb: "fakeRS/localhost:27017",
+                waitForConnect: false,
+            },
+                                                        opts));
+        } else {
+            mongo = MongoRunner.runMongod(Object.assign({
+                auth: '',
+                sslMode: 'preferSSL',
+                sslPEMKeyFile: 'jstests/libs/server.pem',
+                sslCAFile: 'jstests/libs/ca.pem',
+                waitForConnect: false,
+            },
+                                                        opts));
+        }
+
+        assert.soon(function() {
+            const output = rawMongoProgramOutput();
+            return (expectWarningCertifcates ==
+                        output.includes('WARNING: While invalid X509 certificates may be used') &&
+                    expectWarningHostnames ==
+                        output.includes(
+                            'WARNING: This server will not perform X.509 hostname validation'));
+        });
+
+        stopMongoProgramByPid(mongo.pid);
+    }
+
+    function runTests(checkMongos) {
+        // Don't expect a warning for certificates and hostnames when we're not using both options
+        // together.
+        runTest(checkMongos, {}, false, false);
+
+        // Do expect a warning for certificates when we're combining options.
+        runTest(checkMongos, {sslAllowInvalidCertificates: ''}, true, false);
+
+        // Do expect a warning for hostnames.
+        runTest(checkMongos, {sslAllowInvalidHostnames: ''}, false, true);
+
+        // Do expect a warning for certificates and hostnames.
+        runTest(checkMongos,
+                {sslAllowInvalidCertificates: '', sslAllowInvalidHostnames: ''},
+                true,
+                true);
     }
 
-    // Don't expect a warning when we're not using both options together.
-    runTest({}, false);
-    runTest({sslAllowInvalidCertificates: '', setParameter: 'authenticationMechanisms=SCRAM-SHA-1'},
-            false);
-    runTest({setParameter: 'authenticationMechanisms=MONGODB-X509'}, false);
-    runTest({clusterAuthMode: 'x509'}, false);
-
-    // Do expect a warning when we're combining options.
-    runTest(
-        {sslAllowInvalidCertificates: '', setParameter: 'authenticationMechanisms=MONGODB-X509'},
-        true);
-    runTest({sslAllowInvalidCertificates: '', clusterAuthMode: 'x509'}, true);
+    // Run tests on mongos
+    runTests(true);
+
+    // Run tests on mongod
+    runTests(false);
+
 })();
diff --git a/src/mongo/db/db.cpp b/src/mongo/db/db.cpp
index 8892928177d..107de1fd660 100644
--- a/src/mongo/db/db.cpp
+++ b/src/mongo/db/db.cpp
@@ -378,18 +378,6 @@ ExitCode _initAndListen(int listenPort) {
 
     logMongodStartupWarnings(storageGlobalParams, serverGlobalParams, serviceContext);
 
-#ifdef MONGO_CONFIG_SSL
-    if (sslGlobalParams.sslAllowInvalidCertificates &&
-        ((serverGlobalParams.clusterAuthMode.load() == ServerGlobalParams::ClusterAuthMode_x509) ||
-         sequenceContains(saslGlobalParams.authenticationMechanisms, "MONGODB-X509"))) {
-        log() << "** WARNING: While invalid X509 certificates may be used to" << startupWarningsLog;
-        log() << "**          connect to this server, they will not be considered"
-              << startupWarningsLog;
-        log() << "**          permissible for authentication." << startupWarningsLog;
-        log() << startupWarningsLog;
-    }
-#endif
-
     {
         std::stringstream ss;
         ss << endl;
diff --git a/src/mongo/db/startup_warnings_common.cpp b/src/mongo/db/startup_warnings_common.cpp
index 0cd52f78199..31a8b6c04b8 100644
--- a/src/mongo/db/startup_warnings_common.cpp
+++ b/src/mongo/db/startup_warnings_common.cpp
@@ -81,6 +81,24 @@ void logCommonStartupWarnings(const ServerGlobalParams& serverParams) {
         warned = true;
     }
 
+#ifdef MONGO_CONFIG_SSL
+    if (sslGlobalParams.sslAllowInvalidCertificates) {
+        log() << "** WARNING: While invalid X509 certificates may be used to" << startupWarningsLog;
+        log() << "**          connect to this server, they will not be considered"
+              << startupWarningsLog;
+        log() << "**          permissible for authentication." << startupWarningsLog;
+        log() << startupWarningsLog;
+    }
+
+    if (sslGlobalParams.sslAllowInvalidHostnames) {
+        log() << "** WARNING: This server will not perform X.509 hostname validation"
+              << startupWarningsLog;
+        log() << "** This may allow your server to make or accept connections to"
+              << startupWarningsLog;
+        log() << "** untrusted parties" << startupWarningsLog;
+    }
+#endif
+
     /*
     * We did not add the message to startupWarningsLog as the user can not
     * specify a sslCAFile parameter from the shell