SERVER-48006 Fix default for opensslCipherConfig

5 files changed, 60 insertions, 18 deletions

diff --git a/jstests/noPassthrough/ssl_cipher_default.js b/jstests/noPassthrough/ssl_cipher_default.js
new file mode 100644
index 00000000000..d1a6f6fd5a4
--- /dev/null
+++ b/jstests/noPassthrough/ssl_cipher_default.js
@@ -0,0 +1,49 @@
+// validate default for opensslCipherConfig
+
+(function() {
+'use strict';
+
+function getparam(mongod, field) {
+    var q = {getParameter: 1};
+    q[field] = 1;
+
+    var ret = mongod.getDB("admin").runCommand(q);
+    return ret[field];
+}
+
+function assertCorrectConfig(mongodArgs, expectedConfig) {
+    let m = MongoRunner.runMongod(mongodArgs);
+    assert.eq(getparam(m, "opensslCipherConfig"), expectedConfig);
+    MongoRunner.stopMongod(m);
+}
+
+const defaultConfig = "HIGH:!EXPORT:!aNULL@STRENGTH";
+
+// if sslMode is disabled, cipher config should be set to default
+assertCorrectConfig({sslMode: 'disabled'}, defaultConfig);
+
+// if sslMode is enabled, cipher config should have default
+assertCorrectConfig({
+    sslMode: 'allowSSL',
+    sslPEMKeyFile: "jstests/libs/server.pem",
+    sslCAFile: "jstests/libs/ca.pem"
+},
+                    defaultConfig);
+
+// setting through setParameter or tlsCipherConfig should override default
+assertCorrectConfig({
+    sslMode: 'allowSSL',
+    sslPEMKeyFile: "jstests/libs/server.pem",
+    sslCAFile: "jstests/libs/ca.pem",
+    setParameter: "opensslCipherConfig=HIGH"
+},
+                    "HIGH");
+
+assertCorrectConfig({
+    sslMode: 'allowSSL',
+    sslPEMKeyFile: "jstests/libs/server.pem",
+    sslCAFile: "jstests/libs/ca.pem",
+    tlsCipherConfig: "HIGH"
+},
+                    "HIGH");
+})();
\ No newline at end of file
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 36e43daf58c..3976cc47059 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -1873,21 +1873,11 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
 
     ::SSL_CTX_set_options(context, options);
 
-    // HIGH - Enable strong ciphers
-    // !EXPORT - Disable export ciphers (40/56 bit)
-    // !aNULL - Disable anonymous auth ciphers
-    // @STRENGTH - Sort ciphers based on strength
-    std::string cipherConfig = "HIGH:!EXPORT:!aNULL@STRENGTH";
-
-    // Allow the cipher configuration string to be overriden by --sslCipherConfig
-    if (!params.sslCipherConfig.empty()) {
-        cipherConfig = params.sslCipherConfig;
-    }
-
-    if (0 == ::SSL_CTX_set_cipher_list(context, cipherConfig.c_str())) {
+    if (0 == ::SSL_CTX_set_cipher_list(context, params.sslCipherConfig.c_str())) {
         return Status(ErrorCodes::InvalidSSLConfiguration,
-                      str::stream() << "Can not set supported cipher suites: "
-                                    << getSSLErrorMessage(ERR_get_error()));
+                      str::stream() << "Can not set supported cipher suites with config string \""
+                                    << params.sslCipherConfig
+                                    << "\": " << getSSLErrorMessage(ERR_get_error()));
     }
 
     // We use the address of the context as the session id context.
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index 56faa4f9dde..0052519c29b 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -53,6 +53,8 @@ class OptionSection;
 class Environment;
 }  // namespace optionenvironment
 
+constexpr auto kSSLCipherConfigDefault = "HIGH:!EXPORT:!aNULL@STRENGTH"_sd;
+
 struct SSLParams {
     using TLSCATrusts = std::map<SHA256Block, std::set<RoleName>>;
 
@@ -96,7 +98,7 @@ struct SSLParams {
         false;  // --setParameter suppressNoTLSPeerCertificateWarning
     bool tlsWithholdClientCertificate = false;  // --setParameter tlsWithholdClientCertificate
 
-    SSLParams() {
+    SSLParams() : sslCipherConfig(kSSLCipherConfigDefault) {
         sslMode.store(SSLMode_disabled);
     }
 
diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp
index c8621383255..1e21f2d7b22 100644
--- a/src/mongo/util/net/ssl_options_server.cpp
+++ b/src/mongo/util/net/ssl_options_server.cpp
@@ -141,7 +141,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) {
         LOGV2_WARNING(
             23286,
             "net.tls.tlsCipherConfig is deprecated. It will be removed in a future release.");
-        if (!sslGlobalParams.sslCipherConfig.empty()) {
+        if (sslGlobalParams.sslCipherConfig != kSSLCipherConfigDefault) {
             return {ErrorCodes::BadValue,
                     "net.tls.tlsCipherConfig is incompatible with the openTLSCipherConfig "
                     "setParameter"};
@@ -223,7 +223,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) {
     } else if (sslGlobalParams.sslPEMKeyFile.size() || sslGlobalParams.sslPEMKeyPassword.size() ||
                sslGlobalParams.sslClusterFile.size() || sslGlobalParams.sslClusterPassword.size() ||
                sslGlobalParams.sslCAFile.size() || sslGlobalParams.sslCRLFile.size() ||
-               sslGlobalParams.sslCipherConfig.size() ||
+               sslGlobalParams.sslCipherConfig != kSSLCipherConfigDefault ||
                params.count("net.tls.disabledProtocols") ||
 #ifdef MONGO_CONFIG_SSL_CERTIFICATE_SELECTORS
                params.count("net.tls.certificateSelector") ||
@@ -252,6 +252,7 @@ MONGO_STARTUP_OPTIONS_POST(SSLServerOptions)(InitializerContext*) {
                     "cannot have x.509 cluster authentication in allowTLS mode"};
         }
     }
+
     return Status::OK();
 }
 
diff --git a/src/mongo/util/net/ssl_parameters.cpp b/src/mongo/util/net/ssl_parameters.cpp
index 32de6a369f5..ba825cc2e23 100644
--- a/src/mongo/util/net/ssl_parameters.cpp
+++ b/src/mongo/util/net/ssl_parameters.cpp
@@ -245,7 +245,7 @@ Status TLSCATrustsSetParameter::setFromString(const std::string& json) try {
 }  // namespace mongo
 
 mongo::Status mongo::validateOpensslCipherConfig(const std::string&) {
-    if (!sslGlobalParams.sslCipherConfig.empty()) {
+    if (sslGlobalParams.sslCipherConfig != kSSLCipherConfigDefault) {
         return {ErrorCodes::BadValue,
                 "opensslCipherConfig setParameter is incompatible with net.tls.tlsCipherConfig"};
     }