diff options
| author | Sara Golemon <sara.golemon@mongodb.com> | 2018-08-29 18:14:39 +0000 |
|---|---|---|
| committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-09-10 21:08:05 +0000 |
| commit | 1070aa3880ac73bc1923b44a372c61c209a35f61 (patch) | |
| tree | 7c306e5f83b026d59a13ed698b1b719d5753a27c /src/mongo | |
| parent | 643fa66bfa58e17f70e528f2f2ed5b09c745b951 (diff) | |
| download | mongo-1070aa3880ac73bc1923b44a372c61c209a35f61.tar.gz | |
SERVER-36919 Add server setParameter tlsSuppressClientCertificate
Diffstat (limited to 'src/mongo')
| -rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 6 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_apple.cpp | 4 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_openssl.cpp | 10 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_manager_windows.cpp | 2 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options.h | 1 | ||||
| -rw-r--r-- | src/mongo/util/net/ssl_options_server.cpp | 11 |
6 files changed, 24 insertions, 10 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index c8346091346..a0a21e6923c 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -62,6 +62,12 @@ ExportedServerParameter<bool, ServerParameterType::kStartupOnly> suppressNoTLSPeerCertificateWarning(ServerParameterSet::getGlobal(), "suppressNoTLSPeerCertificateWarning", &sslGlobalParams.suppressNoTLSPeerCertificateWarning); + +ExportedServerParameter<bool, ServerParameterType::kStartupOnly> tlsWithholdClientCertificate( + ServerParameterSet::getGlobal(), + "tlsWithholdClientCertificate", + &sslGlobalParams.tlsWithholdClientCertificate); + } // namespace class OpenSSLCipherConfigParameter diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp index 4f7cf85c3db..ac7b9d911da 100644 --- a/src/mongo/util/net/ssl_manager_apple.cpp +++ b/src/mongo/util/net/ssl_manager_apple.cpp @@ -1234,6 +1234,10 @@ Status SSLManagerApple::initSSLContext(asio::ssl::apple::Context* context, }; if (direction == ConnectionDirection::kOutgoing) { + if (params.tlsWithholdClientCertificate) { + return Status::OK(); + } + const auto status = selectCertificate( params.sslClusterCertificateSelector, params.sslClusterFile, params.sslClusterPassword); if (context->certs || !status.isOK()) { diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp index 12d6f46d625..bf0ad8d5cca 100644 --- a/src/mongo/util/net/ssl_manager_openssl.cpp +++ b/src/mongo/util/net/ssl_manager_openssl.cpp @@ -746,13 +746,19 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context, << getSSLErrorMessage(ERR_get_error())); } - if (direction == ConnectionDirection::kOutgoing && !params.sslClusterFile.empty()) { + if (direction == ConnectionDirection::kOutgoing && params.tlsWithholdClientCertificate) { + // Do not send a client certificate if they have been suppressed. + + } else if (direction == ConnectionDirection::kOutgoing && !params.sslClusterFile.empty()) { + // Use the configured clusterFile as our client certificate. ::EVP_set_pw_prompt("Enter cluster certificate passphrase"); if (!_setupPEM(context, params.sslClusterFile, params.sslClusterPassword)) { return Status(ErrorCodes::InvalidSSLConfiguration, "Can not set up ssl clusterFile."); } + } else if (!params.sslPEMKeyFile.empty()) { - // Use the pemfile for everything else + // Use the base pemKeyFile for any other outgoing connections, + // as well as all incoming connections. ::EVP_set_pw_prompt("Enter PEM passphrase"); if (!_setupPEM(context, params.sslPEMKeyFile, params.sslPEMKeyPassword)) { return Status(ErrorCodes::InvalidSSLConfiguration, "Can not set up PEM key file."); diff --git a/src/mongo/util/net/ssl_manager_windows.cpp b/src/mongo/util/net/ssl_manager_windows.cpp index 7ac11406796..6ae5d567140 100644 --- a/src/mongo/util/net/ssl_manager_windows.cpp +++ b/src/mongo/util/net/ssl_manager_windows.cpp @@ -1301,7 +1301,7 @@ Status SSLManagerWindows::initSSLContext(SCHANNEL_CRED* cred, } if (direction == ConnectionDirection::kOutgoing) { - if (_clientCertificates[0]) { + if (_clientCertificates[0] && !params.tlsWithholdClientCertificate) { cred->cCreds = 1; cred->paCred = _clientCertificates.data(); } diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index 468073b2cbc..85b0bd44f64 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -81,6 +81,7 @@ struct SSLParams { bool disableNonSSLConnectionLoggingSet = false; bool suppressNoTLSPeerCertificateWarning = false; // --setParameter suppressNoTLSPeerCertificateWarning + bool tlsWithholdClientCertificate = false; // --setParameter tlsWithholdClientCertificate SSLParams() { sslMode.store(SSLMode_disabled); diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp index a18856baaf8..8ccc3f30cc1 100644 --- a/src/mongo/util/net/ssl_options_server.cpp +++ b/src/mongo/util/net/ssl_options_server.cpp @@ -116,13 +116,10 @@ Status addSSLServerOptions(moe::OptionSection* options) { {"net.ssl.CAFile"}, {"sslCAFile"}); - options - ->addOptionChaining("net.tls.clusterCAFile", - "tlsClusterCAFile", - moe::String, - "CA used for verifying remotes during outbound connections") - .requires("net.tls.clusterFile") - .requires("net.tls.CAFile"); + options->addOptionChaining("net.tls.clusterCAFile", + "tlsClusterCAFile", + moe::String, + "CA used for verifying remotes during outbound connections"); options->addOptionChaining("net.tls.CRLFile", "tlsCRLFile", |