diff options
author | Gabriel Marks <gabriel.marks@mongodb.com> | 2020-06-23 15:44:50 +0000 |
---|---|---|
committer | Evergreen Agent <no-reply@evergreen.mongodb.com> | 2020-06-26 14:48:43 +0000 |
commit | f31fb14b43c9976803f21558075a3892599d3e76 (patch) | |
tree | 9b4bcc03b44e855329b8ddd09fbedbb50598356d | |
parent | 863e13d1c80fbf66d2b097da5a8a46492cad1d6b (diff) | |
download | mongo-f31fb14b43c9976803f21558075a3892599d3e76.tar.gz |
SERVER-48006 Fix default for opensslCipherConfig
-rw-r--r-- | jstests/noPassthrough/ssl_cipher_default.js | 49 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 18 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 4 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options_server.cpp | 5 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_parameters.cpp | 2 |
5 files changed, 60 insertions, 18 deletions
diff --git a/jstests/noPassthrough/ssl_cipher_default.js b/jstests/noPassthrough/ssl_cipher_default.js new file mode 100644 index 00000000000..d1a6f6fd5a4 --- /dev/null +++ b/jstests/noPassthrough/ssl_cipher_default.js @@ -0,0 +1,49 @@ +// validate default for opensslCipherConfig + +(function() { +'use strict'; + +function getparam(mongod, field) { + var q = {getParameter: 1}; + q[field] = 1; + + var ret = mongod.getDB("admin").runCommand(q); + return ret[field]; +} + +function assertCorrectConfig(mongodArgs, expectedConfig) { + let m = MongoRunner.runMongod(mongodArgs); + assert.eq(getparam(m, "opensslCipherConfig"), expectedConfig); + MongoRunner.stopMongod(m); +} + +const defaultConfig = "HIGH:!EXPORT:!aNULL@STRENGTH"; + +// if sslMode is disabled, cipher config should be set to default +assertCorrectConfig({sslMode: 'disabled'}, defaultConfig); + +// if sslMode is enabled, cipher config should have default +assertCorrectConfig({ + sslMode: 'allowSSL', + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem" +}, + defaultConfig); + +// setting through setParameter or tlsCipherConfig should override default +assertCorrectConfig({ + sslMode: 'allowSSL', + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + setParameter: "opensslCipherConfig=HIGH" +}, + "HIGH"); + +assertCorrectConfig({ + sslMode: 'allowSSL', + sslPEMKeyFile: "jstests/libs/server.pem", + sslCAFile: "jstests/libs/ca.pem", + tlsCipherConfig: "HIGH" +}, + "HIGH"); +})();
\ No newline at end of file diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 36e43daf58c..3976cc47059 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -1873,21 +1873,11 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context, ::SSL_CTX_set_options(context, options); - // HIGH - Enable strong ciphers - // !EXPORT - Disable export ciphers (40/56 bit) - // !aNULL - Disable anonymous auth ciphers - // @STRENGTH - Sort ciphers based on strength - std::string cipherConfig = "HIGH:!EXPORT:!aNULL@STRENGTH"; - - // Allow the cipher configuration string to be overriden by --sslCipherConfig - if (!params.sslCipherConfig.empty()) { - cipherConfig = params.sslCipherConfig; - } - - if (0 == ::SSL_CTX_set_cipher_list(context, cipherConfig.c_str())) { + if (0 == ::SSL_CTX_set_cipher_list(context, params.sslCipherConfig.c_str())) { return Status(ErrorCodes::InvalidSSLConfiguration, - str::stream() << "Can not set supported cipher suites: " - << getSSLErrorMessage(ERR_get_error())); + str::stream() << "Can not set supported cipher suites with config string \"" + << params.sslCipherConfig + << "\": " << getSSLErrorMessage(ERR_get_error())); } // We use the address of the context as the session id context. diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index 56faa4f9dde..0052519c29b 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -53,6 +53,8 @@ class OptionSection; class Environment; } // namespace optionenvironment +constexpr auto kSSLCipherConfigDefault = "HIGH:!EXPORT:!aNULL@STRENGTH"_sd; + struct SSLParams { using TLSCATrusts = std::map<SHA256Block, std::set<RoleName>>; @@ -96,7 +98,7 @@ struct SSLParams { false; // --setParameter suppressNoTLSPeerCertificateWarning bool tlsWithholdClientCertificate = false; // --setParameter tlsWithholdClientCertificate - SSLParams() { + SSLParams() : sslCipherConfig(kSSLCipherConfigDefault) { sslMode.store(SSLMode_disabled); } diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp index c8621383255..1e21f2d7b22 100644 --- a/src/mongo/util/net/ssl_options_server.cpp +++ b/src/mongo/util/net/ssl_options_server.cpp @@ -141,7 +141,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { LOGV2_WARNING( 23286, "net.tls.tlsCipherConfig is deprecated. It will be removed in a future release."); - if (!sslGlobalParams.sslCipherConfig.empty()) { + if (sslGlobalParams.sslCipherConfig != kSSLCipherConfigDefault) { return {ErrorCodes::BadValue, "net.tls.tlsCipherConfig is incompatible with the openTLSCipherConfig " "setParameter"}; @@ -223,7 +223,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { } else if (sslGlobalParams.sslPEMKeyFile.size() || sslGlobalParams.sslPEMKeyPassword.size() || sslGlobalParams.sslClusterFile.size() || sslGlobalParams.sslClusterPassword.size() || sslGlobalParams.sslCAFile.size() || sslGlobalParams.sslCRLFile.size() || - sslGlobalParams.sslCipherConfig.size() || + sslGlobalParams.sslCipherConfig != kSSLCipherConfigDefault || params.count("net.tls.disabledProtocols") || #ifdef MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS params.count("net.tls.certificateSelector") || @@ -252,6 +252,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) { "cannot have x.509 cluster authentication in allowTLS mode"}; } } + return Status::OK(); } diff --git a/src/mongo/util/net/ssl_parameters.cpp b/src/mongo/util/net/ssl_parameters.cpp index 32de6a369f5..ba825cc2e23 100644 --- a/src/mongo/util/net/ssl_parameters.cpp +++ b/src/mongo/util/net/ssl_parameters.cpp @@ -245,7 +245,7 @@ Status TLSCATrustsSetParameter::setFromString(const std::string& json) try { } // namespace mongo mongo::Status mongo::validateOpensslCipherConfig(const std::string&) { - if (!sslGlobalParams.sslCipherConfig.empty()) { + if (sslGlobalParams.sslCipherConfig != kSSLCipherConfigDefault) { return {ErrorCodes::BadValue, "opensslCipherConfig setParameter is incompatible with net.tls.tlsCipherConfig"}; } |