SERVER-28014 Add logging to expose non-SSL connections when SSL is preferred but not required

3 files changed, 28 insertions, 1 deletions

diff --git a/src/mongo/util/net/message_port.cpp b/src/mongo/util/net/message_port.cpp
index 505f1d0ef35..0f4f543087e 100644
--- a/src/mongo/util/net/message_port.cpp
+++ b/src/mongo/util/net/message_port.cpp
@@ -134,9 +134,22 @@ bool MessagingPort::recv(Message& m) {
 
                 goto again;
             }
+
+            auto sslMode = sslGlobalParams.sslMode.load();
+
             uassert(17189,
                     "The server is configured to only allow SSL connections",
-                    sslGlobalParams.sslMode.load() != SSLParams::SSLMode_requireSSL);
+                    sslMode != SSLParams::SSLMode_requireSSL);
+
+            // For users attempting to upgrade their applications from no SSL to SSL, provide
+            // information about connections that still aren't using SSL (but only once per
+            // connection)
+            if (!sslGlobalParams.disableNonSSLConnectionLogging &&
+                (sslMode == SSLParams::SSLMode_preferSSL)) {
+                LOG(0) << "SSL mode is set to 'preferred' and connection " << _connectionId
+                       << " to " << remote() << " is not using SSL.";
+            }
+
 #endif  // MONGO_CONFIG_SSL
         }
         if (static_cast<size_t>(len) < sizeof(header) ||
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 75aaba0394d..4b80ad3cfab 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -43,6 +43,7 @@
 #include "mongo/base/init.h"
 #include "mongo/bson/bsonobjbuilder.h"
 #include "mongo/config.h"
+#include "mongo/db/server_parameters.h"
 #include "mongo/platform/atomic_word.h"
 #include "mongo/stdx/memory.h"
 #include "mongo/transport/session.h"
@@ -73,6 +74,7 @@
 #endif
 
 namespace mongo {
+
 namespace {
 
 const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession =
@@ -90,6 +92,16 @@ const SSLParams& getSSLGlobalParams() {
     return sslGlobalParams;
 }
 
+/**
+ * Configurable via --setParameter disableNonSSLConnectionLogging=true. If false (default)
+ * if the sslMode is set to preferSSL, we will log connections that are not using SSL.
+ * If true, such log messages will be suppressed.
+ */
+ExportedServerParameter<bool, ServerParameterType::kStartupOnly>
+    disableNonSSLConnectionLoggingParameter(ServerParameterSet::getGlobal(),
+                                            "disableNonSSLConnectionLogging",
+                                            &sslGlobalParams.disableNonSSLConnectionLogging);
+
 #ifdef MONGO_CONFIG_SSL
 // Old copies of OpenSSL will not have constants to disable protocols they don't support.
 // Define them to values we can OR together safely to generically disable these protocols across
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index ef845c5207f..aef2860093b 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -57,6 +57,8 @@ struct SSLParams {
     bool sslFIPSMode = false;                     // --sslFIPSMode
     bool sslAllowInvalidCertificates = false;     // --sslAllowInvalidCertificates
     bool sslAllowInvalidHostnames = false;        // --sslAllowInvalidHostnames
+    bool disableNonSSLConnectionLogging =
+        false;  // --setParameter disableNonSSLConnectionLogging=true
 
     SSLParams() {
         sslMode.store(SSLMode_disabled);