SERVER-8864 SSL mixed mode cmd line parameters

author: Andreas Nilsson <andreas.nilsson@10gen.com> 2013-10-07 21:22:46 -0400
committer: Andreas Nilsson <andreas.nilsson@10gen.com> 2013-10-09 14:24:29 -0400
commit: aef38b7e2ce7c78716f1ed3ab0f7252e4664cfe2 (patch)
tree: 921383476245f168f7de3ad7d854e67655d9c0fb /src/mongo/util
parent: 7ada7a8e110f5dc2c22a49aa7cea175bb9704a81 (diff)
download: mongo-aef38b7e2ce7c78716f1ed3ab0f7252e4664cfe2.tar.gz
4 files changed, 91 insertions, 23 deletions
diff --git a/src/mongo/util/net/message_port.cpp b/src/mongo/util/net/message_port.cpp
index 772eeff77e9..b0b920116be 100644
--- a/src/mongo/util/net/message_port.cpp
+++ b/src/mongo/util/net/message_port.cpp
@@ -27,6 +27,7 @@
 #include "mongo/util/net/listen.h"
 #include "mongo/util/net/message.h"
 #include "mongo/util/net/ssl_manager.h"
+#include "mongo/util/net/ssl_options.h"
 #include "mongo/util/scopeguard.h"
 #include "mongo/util/time_support.h"
 
@@ -162,7 +163,7 @@ again:
             int headerLen = sizeof(MSGHEADER);
             psock->recv( (char *)&header, headerLen );
             int len = header.messageLength; 
- 
+
             if ( len == 542393671 ) {
                 // an http GET
                 string msg = "It looks like you are trying to access MongoDB over HTTP on the native driver port.\n";
@@ -181,17 +182,24 @@ again:
                 goto again;
             }
             // If responseTo is not 0 or -1 for first packet assume SSL
-            else if (psock->isAwaitingHandshake() && 
-                     header.responseTo != 0 && header.responseTo != -1) {
-#ifdef MONGO_SSL
-                uassert(17132, "SSL handshake received but server is started without SSL support",
-                        NULL != getSSLManager());
-                psock->setHandshakeReceived();
-                setX509SubjectName(psock->doSSLHandshake(
-                                   reinterpret_cast<const char*>(&header), sizeof(header)));
-                goto again;
-#else 
-                uasserted(17133, "SSL handshake requested, SSL feature not available in this build");  
+            else if (psock->isAwaitingHandshake()) {
+#ifndef MONGO_SSL
+                if (header.responseTo != 0 && header.responseTo != -1) {
+                    uasserted(17133,
+                              "SSL handshake requested, SSL feature not available in this build");
+                }
+#else                    
+                if (header.responseTo != 0 && header.responseTo != -1) {
+                    uassert(17132,
+                            "SSL handshake received but server is started without SSL support",
+                            sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_noSSL);
+                    setX509SubjectName(psock->doSSLHandshake(
+                                       reinterpret_cast<const char*>(&header), sizeof(header)));
+                    psock->setHandshakeReceived();
+                    goto again;
+                }
+                uassert(17185, "The server is configured to only allow SSL connections",
+                        sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_sslOnly);
 #endif // MONGO_SSL
             }
             else if ( len < static_cast<int>(sizeof(MSGHEADER)) || len > MaxMessageSizeBytes ) {
@@ -199,7 +207,7 @@ again:
                        << "Min " << sizeof(MSGHEADER) << " Max: " << MaxMessageSizeBytes << endl;
                 return false;
             }
- 
+
             psock->setHandshakeReceived();
             int z = (len+1023)&0xfffffc00;
             verify(z>=len);
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 0fb645e988c..3457465a9b9 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -35,7 +35,6 @@
 #endif
 
 namespace mongo {
-
     SSLGlobalParams sslGlobalParams;
 
 #ifndef MONGO_SSL   
@@ -274,7 +273,7 @@ namespace mongo {
     
     MONGO_INITIALIZER(SSLManager)(InitializerContext* context) {
         SimpleMutex::scoped_lock lck(sslManagerMtx);
-        if (sslGlobalParams.sslOnNormalPorts) {
+        if (sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_noSSL) {
             const Params params(
                 sslGlobalParams.sslPEMKeyFile,
                 sslGlobalParams.sslPEMKeyPassword,
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index 3251b7fd3d5..935b3ee9bdd 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -34,6 +34,11 @@ namespace mongo {
         if (!ret.isOK()) {
             return ret;
         }
+        ret = options->addOption(OD("ssl.mode", "sslMode", moe::String,
+                    "set the SSL operation mode (noSSL|acceptSSL|sendAcceptSSL|sslOnly)", true));
+        if (!ret.isOK()) {
+            return ret;
+        }
         ret = options->addOption(OD("ssl.PEMKeyFile", "sslPEMKeyFile", moe::String,
                     "PEM file for ssl", true));
         if (!ret.isOK()) {
@@ -116,6 +121,26 @@ namespace mongo {
 
     Status storeSSLServerOptions(const moe::Environment& params) {
 
+        if (params.count("ssl.mode")) {
+            std::string sslModeParam = params["ssl.mode"].as<string>();
+            if (sslModeParam == "noSSL") {
+                sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_noSSL);
+            }
+            else if (sslModeParam == "acceptSSL") {
+                sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_acceptSSL);
+            }
+            else if (sslModeParam == "sendAcceptSSL") {
+                sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_sendAcceptSSL);
+            }
+            else if (sslModeParam == "sslOnly") {
+                sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_sslOnly);
+            }
+            else {
+                return Status(ErrorCodes::BadValue, 
+                              "unsupported value for sslMode " + sslModeParam );
+            }
+        }
+
         if (params.count("ssl.PEMKeyFile")) {
             sslGlobalParams.sslPEMKeyFile = boost::filesystem::absolute(
                                         params["ssl.PEMKeyFile"].as<string>()).generic_string();
@@ -148,10 +173,19 @@ namespace mongo {
             sslGlobalParams.sslWeakCertificateValidation = true;
         }
         if (params.count("ssl.sslOnNormalPorts")) {
-            sslGlobalParams.sslOnNormalPorts = true;
+            if (params.count("ssl.mode")) {
+                    return Status(ErrorCodes::BadValue, 
+                                  "can't have both sslMode and sslOnNormalPorts");
+            }
+            else {
+                sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_sslOnly);
+            }
+        }
+
+        if (sslGlobalParams.sslMode.load() != SSLGlobalParams::SSLMode_noSSL) {
             if (sslGlobalParams.sslPEMKeyFile.size() == 0) {
                 return Status(ErrorCodes::BadValue,
-                              "need sslPEMKeyFile with sslOnNormalPorts");
+                              "need sslPEMKeyFile when SSL is enabled");
             }
             if (sslGlobalParams.sslWeakCertificateValidation &&
                 sslGlobalParams.sslCAFile.empty()) {
@@ -174,13 +208,15 @@ namespace mongo {
                  sslGlobalParams.sslCRLFile.size() ||
                  sslGlobalParams.sslWeakCertificateValidation ||
                  sslGlobalParams.sslFIPSMode) {
-            return Status(ErrorCodes::BadValue, "need to enable sslOnNormalPorts");
+            return Status(ErrorCodes::BadValue,
+                          "need to enable SSL via the sslMode flag when"
+                          "using SSL configuration parameters");
         }
         if (serverGlobalParams.clusterAuthMode == "sendKeyfile" ||
             serverGlobalParams.clusterAuthMode == "sendX509" ||
             serverGlobalParams.clusterAuthMode == "x509") {
-            if (!sslGlobalParams.sslOnNormalPorts){
-                return Status(ErrorCodes::BadValue, "need to enable sslOnNormalPorts");
+            if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_noSSL){
+                return Status(ErrorCodes::BadValue, "need to enable SSL via the sslMode flag");
             }
         }
         else if (params.count("clusterAuthMode") &&
@@ -195,7 +231,7 @@ namespace mongo {
 
     Status storeSSLClientOptions(const moe::Environment& params) {
         if (params.count("ssl")) {
-            sslGlobalParams.sslOnNormalPorts = true;
+            sslGlobalParams.sslMode.store(SSLGlobalParams::SSLMode_sslOnly);
         }
         if (params.count("ssl.PEMKeyFile")) {
             sslGlobalParams.sslPEMKeyFile = params["ssl.PEMKeyFile"].as<std::string>();
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index c21e166db81..dce6a9e8444 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -16,6 +16,7 @@
 #pragma once
 
 #include "mongo/base/status.h"
+#include "mongo/util/net/ssl_manager.h"
 
 namespace mongo {
 
@@ -29,7 +30,8 @@ namespace mongo {
     extern moe::Environment sslParsedOptions;
 
     struct SSLGlobalParams {
-        bool sslOnNormalPorts;      // --sslOnNormalPorts
+        AtomicInt32 sslMode;        // --sslMode - the SSL operation mode, see enum SSLModes
+        bool sslOnNormalPorts;      // --sslOnNormalPorts (deprecated)
         std::string sslPEMKeyFile;       // --sslPEMKeyFile
         std::string sslPEMKeyPassword;   // --sslPEMKeyPassword
         std::string sslClusterFile;       // --sslInternalKeyFile
@@ -40,12 +42,35 @@ namespace mongo {
         bool sslFIPSMode; // --sslFIPSMode
 
         SSLGlobalParams() {
-            sslOnNormalPorts = false;
+            sslMode.store(SSLMode_noSSL);
         }
+ 
+        enum SSLModes {
+            /** 
+            * Make unencrypted outgoing connections and do not accept incoming SSL-connections 
+            */
+            SSLMode_noSSL,
+
+            /**
+            * Make unencrypted outgoing connections and accept both unencrypted and SSL-connections 
+            */
+            SSLMode_acceptSSL,
+
+            /**
+            * Make outgoing SSL-connections and accept both unecrypted and SSL-connections
+            */
+            SSLMode_sendAcceptSSL,
+ 
+            /**
+            * Make outgoing SSL-connections and only accept incoming SSL-connections
+            */
+            SSLMode_sslOnly
+        };
     };
 
     extern SSLGlobalParams sslGlobalParams;
 
+
     Status addSSLServerOptions(moe::OptionSection* options);
 
     Status addSSLClientOptions(moe::OptionSection* options);
author	Andreas Nilsson <andreas.nilsson@10gen.com>	2013-10-07 21:22:46 -0400
committer	Andreas Nilsson <andreas.nilsson@10gen.com>	2013-10-09 14:24:29 -0400
commit	aef38b7e2ce7c78716f1ed3ab0f7252e4664cfe2 (patch)
tree	921383476245f168f7de3ad7d854e67655d9c0fb /src/mongo/util
parent	7ada7a8e110f5dc2c22a49aa7cea175bb9704a81 (diff)
download	mongo-aef38b7e2ce7c78716f1ed3ab0f7252e4664cfe2.tar.gz