diff options
author | Adam Cooper <adam.cooper@mongodb.com> | 2018-06-11 13:38:54 -0400 |
---|---|---|
committer | Adam Cooper <adam.cooper@mongodb.com> | 2018-07-11 15:04:13 -0400 |
commit | 8f62430465e79bc38f551437d75ff9bbe0f06ff0 (patch) | |
tree | 0a9f1ceb7278ece742f3a1a78ad887d1d2f6c5c2 /src/mongo/util | |
parent | def12b4a903bcf0dea6211f25ccbc5e0613fe5b2 (diff) | |
download | mongo-8f62430465e79bc38f551437d75ff9bbe0f06ff0.tar.gz |
SERVER-27264 Allow disabling no client certificate warning
(cherry picked from commit 14eb0afce97b372d0dc4d2a4c41a00318a36b0e2)
Diffstat (limited to 'src/mongo/util')
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 15 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 2 |
2 files changed, 15 insertions, 2 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 90e9170ab6e..c4dfd5fe8ac 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -115,6 +115,11 @@ ExportedServerParameter<std::string, ServerParameterType::kStartupOnly> setDiffieHellmanParameterPEMFile(ServerParameterSet::getGlobal(), "opensslDiffieHellmanParameters", &sslGlobalParams.sslPEMTempDHParam); + +ExportedServerParameter<bool, ServerParameterType::kStartupOnly> + suppressNoTLSPeerCertificateWarning(ServerParameterSet::getGlobal(), + "suppressNoTLSPeerCertificateWarning", + &sslGlobalParams.suppressNoTLSPeerCertificateWarning); } // namespace SSLPeerInfo& SSLPeerInfo::forSession(const transport::SessionHandle& session) { @@ -414,6 +419,7 @@ private: bool _weakValidation; bool _allowInvalidCertificates; bool _allowInvalidHostnames; + bool _suppressNoCertificateWarning; SSLConfiguration _sslConfiguration; /** @@ -797,7 +803,8 @@ SSLManager::SSLManager(const SSLParams& params, bool isServer) _clientContext(nullptr, free_ssl_context), _weakValidation(params.sslWeakCertificateValidation), _allowInvalidCertificates(params.sslAllowInvalidCertificates), - _allowInvalidHostnames(params.sslAllowInvalidHostnames) { + _allowInvalidHostnames(params.sslAllowInvalidHostnames), + _suppressNoCertificateWarning(params.suppressNoTLSPeerCertificateWarning) { if (!_initSynchronousSSLContext(&_clientContext, params, ConnectionDirection::kOutgoing)) { uasserted(16768, "ssl initialization problem"); } @@ -1474,7 +1481,11 @@ StatusWith<boost::optional<SSLPeerInfo>> SSLManager::parseAndValidatePeerCertifi if (NULL == peerCert) { // no certificate presented by peer if (_weakValidation) { - warning() << "no SSL certificate provided by peer"; + // do not give warning if certificate warnings are suppressed + if (!_suppressNoCertificateWarning) { + warning() << "no SSL certificate provided by peer"; + } + return {boost::none}; } else { auto msg = "no SSL certificate provided by peer; connection rejected"; error() << msg; diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index 13b9686dfe8..5b65e802a97 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -59,6 +59,8 @@ struct SSLParams { bool sslAllowInvalidHostnames = false; // --sslAllowInvalidHostnames bool disableNonSSLConnectionLogging = false; // --setParameter disableNonSSLConnectionLogging=true + bool suppressNoTLSPeerCertificateWarning = + false; // --setParameter suppressNoTLSPeerCertificateWarning SSLParams() { sslMode.store(SSLMode_disabled); |