diff options
| author | samantharitter <samantha.ritter@10gen.com> | 2016-09-13 17:19:22 -0400 |
|---|---|---|
| committer | samantharitter <samantha.ritter@10gen.com> | 2016-09-13 17:19:22 -0400 |
| commit | 15a614f37f91736e01580893d47c39cc7df9aa1c (patch) | |
| tree | e7d8f714a7d30137383269bb4f079434feae0918 /src/mongo | |
| parent | d222cf41518a58abc631fa6a046aadf9055bf93e (diff) | |
| download | mongo-15a614f37f91736e01580893d47c39cc7df9aa1c.tar.gz | |
Revert "SERVER-25151 Honor 'ssl' option in URIs passed to the shell"
This reverts commit 7c3878adaf73736c33c7f65b718d8b5705c36142.
Diffstat (limited to 'src/mongo')
23 files changed, 87 insertions, 109 deletions
diff --git a/src/mongo/client/connection_pool.cpp b/src/mongo/client/connection_pool.cpp index c53f1d5a272..b70acd25daf 100644 --- a/src/mongo/client/connection_pool.cpp +++ b/src/mongo/client/connection_pool.cpp @@ -31,7 +31,6 @@ #include "mongo/client/connection_pool.h" #include "mongo/client/connpool.h" -#include "mongo/client/mongo_uri.h" #include "mongo/db/auth/authorization_manager_global.h" #include "mongo/db/auth/internal_user_auth.h" #include "mongo/executor/network_connection_hook.h" @@ -173,7 +172,6 @@ ConnectionPool::ConnectionList::iterator ConnectionPool::acquireConnection( conn.reset(new DBClientConnection( false, // auto reconnect 0, // socket timeout - {}, // MongoURI [this, target](const executor::RemoteCommandResponse& isMasterReply) { return _hook->validateHost(target, isMasterReply); })); diff --git a/src/mongo/client/connection_string.h b/src/mongo/client/connection_string.h index e8fc8eb2637..245174794d9 100644 --- a/src/mongo/client/connection_string.h +++ b/src/mongo/client/connection_string.h @@ -40,7 +40,6 @@ namespace mongo { class DBClientBase; -class MongoURI; /** * ConnectionString handles parsing different ways to connect to mongo and determining method @@ -119,8 +118,7 @@ public: DBClientBase* connect(StringData applicationName, std::string& errmsg, - double socketTimeout = 0, - const MongoURI* uri = nullptr) const; + double socketTimeout = 0) const; static StatusWith<ConnectionString> parse(const std::string& url); diff --git a/src/mongo/client/connection_string_connect.cpp b/src/mongo/client/connection_string_connect.cpp index e4c99dd37e1..64c2258fc5d 100644 --- a/src/mongo/client/connection_string_connect.cpp +++ b/src/mongo/client/connection_string_connect.cpp @@ -36,7 +36,6 @@ #include "mongo/client/dbclient_rs.h" #include "mongo/client/dbclientinterface.h" -#include "mongo/client/mongo_uri.h" #include "mongo/stdx/memory.h" #include "mongo/util/assert_util.h" #include "mongo/util/log.h" @@ -48,17 +47,10 @@ ConnectionString::ConnectionHook* ConnectionString::_connectHook = NULL; DBClientBase* ConnectionString::connect(StringData applicationName, std::string& errmsg, - double socketTimeout, - const MongoURI* uri) const { - MongoURI newURI{}; - if (uri) { - newURI = *uri; - } - + double socketTimeout) const { switch (_type) { case MASTER: { - auto c = stdx::make_unique<DBClientConnection>(true, 0, std::move(newURI)); - + auto c = stdx::make_unique<DBClientConnection>(true); c->setSoTimeout(socketTimeout); LOG(1) << "creating new connection to:" << _servers[0]; if (!c->connect(_servers[0], applicationName, errmsg)) { @@ -70,7 +62,7 @@ DBClientBase* ConnectionString::connect(StringData applicationName, case SET: { auto set = stdx::make_unique<DBClientReplicaSet>( - _setName, _servers, applicationName, socketTimeout, std::move(newURI)); + _setName, _servers, applicationName, socketTimeout); if (!set->connect()) { errmsg = "connect failed to replica set "; errmsg += toString(); diff --git a/src/mongo/client/dbclient.cpp b/src/mongo/client/dbclient.cpp index 8b549764da5..faace525444 100644 --- a/src/mongo/client/dbclient.cpp +++ b/src/mongo/client/dbclient.cpp @@ -90,6 +90,25 @@ using std::vector; using executor::RemoteCommandRequest; using executor::RemoteCommandResponse; +namespace { + +#ifdef MONGO_CONFIG_SSL +static SimpleMutex s_mtx; +static SSLManagerInterface* s_sslMgr(NULL); + +SSLManagerInterface* sslManager() { + stdx::lock_guard<SimpleMutex> lk(s_mtx); + if (s_sslMgr) { + return s_sslMgr; + } + + s_sslMgr = getSSLManager(); + return s_sslMgr; +} +#endif + +} // namespace + AtomicInt64 DBClientBase::ConnectionIdSequence; /* --- dbclientcommands --- */ @@ -421,8 +440,8 @@ void DBClientWithCommands::_auth(const BSONObj& params) { // We will only have a client name if SSL is enabled std::string clientName = ""; #ifdef MONGO_CONFIG_SSL - if (SSLEnabled()) { - clientName = getSSLManager()->getSSLConfiguration().clientSubjectName; + if (sslManager() != nullptr) { + clientName = sslManager()->getSSLConfiguration().clientSubjectName; } #endif @@ -878,25 +897,9 @@ Status DBClientConnection::connectSocketOnly(const HostAndPort& serverAddress) { } #ifdef MONGO_CONFIG_SSL - // Prefer to get SSL mode directly from our URI, but if it is not set, fall back to - // checking global SSL params. DBClientConnections create through the shell will have a - // meaningful URI set, but DBClientConnections created from within the server may not. - int sslMode; - auto options = _uri.getOptions(); - auto iter = options.find("ssl"); - if (iter != options.end()) { - if (iter->second == "true") { - sslMode = SSLParams::SSLMode_requireSSL; - } else { - sslMode = SSLParams::SSLMode_disabled; - } - } else { - sslMode = sslGlobalParams.sslMode.load(); - } - - if (sslMode == SSLParams::SSLMode_preferSSL || sslMode == SSLParams::SSLMode_requireSSL) { - uassert(40312, "SSL is not enabled; cannot create an SSL connection", SSLEnabled()); - if (!_port->secure(getSSLManager(), serverAddress.host())) { + int sslModeVal = sslGlobalParams.sslMode.load(); + if (sslModeVal == SSLParams::SSLMode_preferSSL || sslModeVal == SSLParams::SSLMode_requireSSL) { + if (!_port->secure(sslManager(), serverAddress.host())) { return Status(ErrorCodes::SSLHandshakeFailed, "Failed to initialize SSL on connection"); } } @@ -1293,14 +1296,12 @@ void DBClientWithCommands::createIndex(StringData ns, const IndexSpec& descripto DBClientConnection::DBClientConnection(bool _autoReconnect, double so_timeout, - MongoURI uri, const HandshakeValidationHook& hook) : _failed(false), autoReconnect(_autoReconnect), autoReconnectBackoff(1000, 2000), _so_timeout(so_timeout), - _hook(hook), - _uri(std::move(uri)) { + _hook(hook) { _numConnections.fetchAndAdd(1); } diff --git a/src/mongo/client/dbclient_rs.cpp b/src/mongo/client/dbclient_rs.cpp index bd8ec5863c9..584d4c61f10 100644 --- a/src/mongo/client/dbclient_rs.cpp +++ b/src/mongo/client/dbclient_rs.cpp @@ -136,12 +136,8 @@ bool DBClientReplicaSet::_authPooledSecondaryConn = true; DBClientReplicaSet::DBClientReplicaSet(const string& name, const vector<HostAndPort>& servers, StringData applicationName, - double so_timeout, - MongoURI uri) - : _setName(name), - _applicationName(applicationName.toString()), - _so_timeout(so_timeout), - _uri(std::move(uri)) { + double so_timeout) + : _setName(name), _applicationName(applicationName.toString()), _so_timeout(so_timeout) { _rsm = ReplicaSetMonitor::createIfNeeded(name, set<HostAndPort>(servers.begin(), servers.end())); } diff --git a/src/mongo/client/dbclient_rs.h b/src/mongo/client/dbclient_rs.h index 17f25904c25..1876ac20068 100644 --- a/src/mongo/client/dbclient_rs.h +++ b/src/mongo/client/dbclient_rs.h @@ -32,7 +32,6 @@ #include <utility> #include "mongo/client/dbclientinterface.h" -#include "mongo/client/mongo_uri.h" #include "mongo/util/net/hostandport.h" namespace mongo { @@ -61,8 +60,7 @@ public: DBClientReplicaSet(const std::string& name, const std::vector<HostAndPort>& servers, StringData applicationName, - double so_timeout = 0, - MongoURI uri = {}); + double so_timeout = 0); virtual ~DBClientReplicaSet(); /** @@ -327,8 +325,6 @@ private: // not sure if/how we should handle std::map<std::string, BSONObj> _auths; // dbName -> auth parameters - MongoURI _uri; - protected: /** * for storing (non-threadsafe) information between lazy calls diff --git a/src/mongo/client/dbclientinterface.h b/src/mongo/client/dbclientinterface.h index cae03e8bf08..62e09660524 100644 --- a/src/mongo/client/dbclientinterface.h +++ b/src/mongo/client/dbclientinterface.h @@ -33,7 +33,6 @@ #include "mongo/base/string_data.h" #include "mongo/client/connection_string.h" #include "mongo/client/index_spec.h" -#include "mongo/client/mongo_uri.h" #include "mongo/client/query.h" #include "mongo/client/read_preference.h" #include "mongo/db/jsobj.h" @@ -980,7 +979,6 @@ public: */ DBClientConnection(bool _autoReconnect = false, double so_timeout = 0, - MongoURI uri = {}, const HandshakeValidationHook& hook = HandshakeValidationHook()); virtual ~DBClientConnection() { @@ -1190,8 +1188,6 @@ private: HandshakeValidationHook _hook; MessageCompressorManager _compressorManager; - - MongoURI _uri; }; BSONElement getErrField(const BSONObj& result); diff --git a/src/mongo/client/mongo_uri_connect.cpp b/src/mongo/client/mongo_uri_connect.cpp index 140af0fff1d..7909e0bd5cd 100644 --- a/src/mongo/client/mongo_uri_connect.cpp +++ b/src/mongo/client/mongo_uri_connect.cpp @@ -177,7 +177,7 @@ DBClientBase* MongoURI::connect(StringData applicationName, std::string& errmsg) } } - auto ret = _connectString.connect(applicationName, errmsg, socketTimeout, this); + auto ret = _connectString.connect(applicationName, errmsg, socketTimeout); if (!ret) { return ret; } diff --git a/src/mongo/db/commands/authentication_commands.cpp b/src/mongo/db/commands/authentication_commands.cpp index e39d40ecb04..f6fcc301b05 100644 --- a/src/mongo/db/commands/authentication_commands.cpp +++ b/src/mongo/db/commands/authentication_commands.cpp @@ -311,7 +311,7 @@ Status CmdAuthenticate::_authenticateCR(OperationContext* txn, Status CmdAuthenticate::_authenticateX509(OperationContext* txn, const UserName& user, const BSONObj& cmdObj) { - if (!SSLEnabled()) { + if (!getSSLManager()) { return Status(ErrorCodes::ProtocolError, "SSL support is required for the MONGODB-X509 mechanism."); } diff --git a/src/mongo/db/commands/server_status.cpp b/src/mongo/db/commands/server_status.cpp index c7a5d493cbd..67716cf7a14 100644 --- a/src/mongo/db/commands/server_status.cpp +++ b/src/mongo/db/commands/server_status.cpp @@ -297,7 +297,7 @@ public: BSONObj generateSection(OperationContext* txn, const BSONElement& configElement) const { BSONObj result; - if (SSLEnabled()) { + if (getSSLManager()) { result = getSSLManager()->getSSLConfiguration().getServerStatusBSON(); } diff --git a/src/mongo/db/commands/user_management_commands.cpp b/src/mongo/db/commands/user_management_commands.cpp index 440d434f6cc..797ea21fe4e 100644 --- a/src/mongo/db/commands/user_management_commands.cpp +++ b/src/mongo/db/commands/user_management_commands.cpp @@ -654,7 +654,7 @@ public: } #ifdef MONGO_CONFIG_SSL - if (args.userName.getDB() == "$external" && SSLEnabled() && + if (args.userName.getDB() == "$external" && getSSLManager() && getSSLManager()->getSSLConfiguration().isClusterMember(args.userName.getUser())) { return appendCommandStatus(result, Status(ErrorCodes::BadValue, diff --git a/src/mongo/executor/network_interface_asio_auth.cpp b/src/mongo/executor/network_interface_asio_auth.cpp index 1499d3bf72f..78c66318805 100644 --- a/src/mongo/executor/network_interface_asio_auth.cpp +++ b/src/mongo/executor/network_interface_asio_auth.cpp @@ -179,7 +179,7 @@ void NetworkInterfaceASIO::_authenticate(AsyncOp* op) { // We will only have a valid clientName if SSL is enabled. std::string clientName; #ifdef MONGO_CONFIG_SSL - if (SSLEnabled()) { + if (getSSLManager()) { clientName = getSSLManager()->getSSLConfiguration().clientSubjectName; } #endif diff --git a/src/mongo/executor/network_interface_factory.cpp b/src/mongo/executor/network_interface_factory.cpp index 2a1e5a82c0c..8a3f0e8f7cc 100644 --- a/src/mongo/executor/network_interface_factory.cpp +++ b/src/mongo/executor/network_interface_factory.cpp @@ -60,8 +60,8 @@ std::unique_ptr<NetworkInterface> makeNetworkInterface( options.timerFactory = stdx::make_unique<AsyncTimerFactoryASIO>(); #ifdef MONGO_CONFIG_SSL - if (SSLEnabled()) { - options.streamFactory = stdx::make_unique<AsyncSecureStreamFactory>(getSSLManager()); + if (SSLManagerInterface* manager = getSSLManager()) { + options.streamFactory = stdx::make_unique<AsyncSecureStreamFactory>(manager); } #endif diff --git a/src/mongo/scripting/mozjs/mongo.cpp b/src/mongo/scripting/mozjs/mongo.cpp index 0dd264f8cc3..8df2629c08f 100644 --- a/src/mongo/scripting/mozjs/mongo.cpp +++ b/src/mongo/scripting/mozjs/mongo.cpp @@ -685,10 +685,10 @@ void MongoExternalInfo::construct(JSContext* cx, JS::CallArgs args) { } auto statusWithHost = MongoURI::parse(host); - auto uri = uassertStatusOK(statusWithHost); + auto cs = uassertStatusOK(statusWithHost); std::string errmsg; - std::unique_ptr<DBClientBase> conn(uri.connect("MongoDB Shell", errmsg)); + std::unique_ptr<DBClientBase> conn(cs.connect("MongoDB Shell", errmsg)); if (!conn.get()) { uasserted(ErrorCodes::InternalError, errmsg); @@ -703,8 +703,8 @@ void MongoExternalInfo::construct(JSContext* cx, JS::CallArgs args) { JS_SetPrivate(thisv, new std::shared_ptr<DBClientBase>(conn.release())); o.setBoolean(InternedString::slaveOk, false); - o.setString(InternedString::host, uri.toString()); - auto defaultDB = uri.getDatabase() == "" ? "test" : uri.getDatabase(); + o.setString(InternedString::host, cs.toString()); + auto defaultDB = cs.getDatabase() == "" ? "test" : cs.getDatabase(); o.setString(InternedString::defaultDB, defaultDB); args.rval().setObjectOrNull(thisv); diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp index cbb007641b5..1b378836c35 100644 --- a/src/mongo/shell/shell_options.cpp +++ b/src/mongo/shell/shell_options.cpp @@ -238,7 +238,6 @@ Status storeMongoShellOptions(const moe::Environment& params, if (params.count("quiet")) { mongo::serverGlobalParams.quiet = true; } - #ifdef MONGO_CONFIG_SSL ret = storeSSLClientOptions(params); if (!ret.isOK()) { @@ -248,7 +247,6 @@ Status storeMongoShellOptions(const moe::Environment& params, if (params.count("ipv6")) { mongo::enableIPv6(); } - if (params.count("verbose")) { logger::globalLogDomain()->setMinimumLoggedSeverity(logger::LogSeverity::Debug(1)); } diff --git a/src/mongo/util/net/asio_message_port.cpp b/src/mongo/util/net/asio_message_port.cpp index 403949ad7cb..19413c53435 100644 --- a/src/mongo/util/net/asio_message_port.cpp +++ b/src/mongo/util/net/asio_message_port.cpp @@ -64,8 +64,12 @@ struct ASIOSSLContextPair { const auto sslDecoration = SSLManagerInterface::declareDecoration<ASIOSSLContextPair>(); MONGO_INITIALIZER_WITH_PREREQUISITES(ASIOSSLContextSetup, ("SSLManager"))(InitializerContext*) { - sslDecoration(getSSLManager()).server.init(SSLManagerInterface::ConnectionDirection::kIncoming); - sslDecoration(getSSLManager()).client.init(SSLManagerInterface::ConnectionDirection::kOutgoing); + if (getSSLManager()) { + sslDecoration(getSSLManager()) + .server.init(SSLManagerInterface::ConnectionDirection::kIncoming); + sslDecoration(getSSLManager()) + .client.init(SSLManagerInterface::ConnectionDirection::kOutgoing); + } return Status::OK(); } #endif @@ -89,9 +93,9 @@ ASIOMessagingPort::ASIOMessagingPort(int fd, SockAddr farEnd) #ifdef MONGO_CONFIG_SSL _context(ASIOSSLContext()), _sslSock(_service, - SSLEnabled() ? sslDecoration(getSSLManager()).server.getContext() - : _context->getContext()) { - if (SSLEnabled()) { + getSSLManager() ? sslDecoration(getSSLManager()).server.getContext() + : _context->getContext()) { + if (getSSLManager()) { _context = boost::none; } _sslSock.lowest_layer().assign( @@ -127,9 +131,9 @@ ASIOMessagingPort::ASIOMessagingPort(Milliseconds timeout, logger::LogSeverity l #ifdef MONGO_CONFIG_SSL _context(ASIOSSLContext()), _sslSock(_service, - SSLEnabled() ? sslDecoration(getSSLManager()).client.getContext() - : _context->getContext()) { - if (SSLEnabled()) { + getSSLManager() ? sslDecoration(getSSLManager()).client.getContext() + : _context->getContext()) { + if (getSSLManager()) { _context = boost::none; } #else diff --git a/src/mongo/util/net/asio_ssl_context.cpp b/src/mongo/util/net/asio_ssl_context.cpp index 49cc99e6b56..eb9f4c2fa68 100644 --- a/src/mongo/util/net/asio_ssl_context.cpp +++ b/src/mongo/util/net/asio_ssl_context.cpp @@ -42,14 +42,15 @@ namespace mongo { ASIOSSLContext::ASIOSSLContext() - : _context(stdx::make_unique<asio::ssl::context>(asio::ssl::context::sslv23)) {} + : _context(stdx::make_unique<asio::ssl::context>(asio::ssl::context::sslv23)), + _mode(static_cast<SSLParams::SSLModes>(getSSLGlobalParams().sslMode.load())) {} ASIOSSLContext::ASIOSSLContext(ASIOSSLContext&& other) = default; ASIOSSLContext& ASIOSSLContext::operator=(ASIOSSLContext&& other) = default; void ASIOSSLContext::init(SSLManagerInterface::ConnectionDirection direction) { - if (SSLEnabled()) { + if (_mode != SSLParams::SSLMode_disabled) { uassertStatusOK(getSSLManager()->initSSLContext( _context->native_handle(), getSSLGlobalParams(), direction)); } @@ -59,6 +60,10 @@ asio::ssl::context& ASIOSSLContext::getContext() { return *_context; } +SSLParams::SSLModes ASIOSSLContext::sslMode() const { + return _mode; +} + } // namespace mongo #endif // MONGO_CONFIG_SSL diff --git a/src/mongo/util/net/asio_ssl_context.h b/src/mongo/util/net/asio_ssl_context.h index f19379b781a..53a68f1e1a3 100644 --- a/src/mongo/util/net/asio_ssl_context.h +++ b/src/mongo/util/net/asio_ssl_context.h @@ -66,8 +66,14 @@ public: */ asio::ssl::context& getContext(); + /** + * The SSL operation mode. See enum SSLModes in ssl_options.h + */ + SSLParams::SSLModes sslMode() const; + private: std::unique_ptr<asio::ssl::context> _context; + SSLParams::SSLModes _mode; }; } // namespace mongo #else diff --git a/src/mongo/util/net/httpclient.cpp b/src/mongo/util/net/httpclient.cpp index 4b9714a3e02..2cd94c0635f 100644 --- a/src/mongo/util/net/httpclient.cpp +++ b/src/mongo/util/net/httpclient.cpp @@ -120,10 +120,6 @@ int HttpClient::_go(const char* command, string url, const char* body, Result* r if (ssl) { #ifdef MONGO_CONFIG_SSL - if (!SSLEnabled()) { - uasserted(40308, "no ssl support"); - } - // pointer to global singleton instance SSLManagerInterface* mgr = getSSLManager(); diff --git a/src/mongo/util/net/listen.cpp b/src/mongo/util/net/listen.cpp index f10cf748ee4..1842a091b41 100644 --- a/src/mongo/util/net/listen.cpp +++ b/src/mongo/util/net/listen.cpp @@ -145,8 +145,7 @@ Listener::Listener(const string& name, _ctx(ctx), _setAsServiceCtxDecoration(setAsServiceCtxDecoration) { #ifdef MONGO_CONFIG_SSL - _sslEnabled = SSLEnabled(); - _sslManager = getSSLManager(); + _ssl = getSSLManager(); #endif if (setAsServiceCtxDecoration) { auto& listener = getListener(ctx); @@ -267,7 +266,7 @@ void Listener::initAndListen() { } #ifdef MONGO_CONFIG_SSL - _logListen(_port, _sslEnabled); + _logListen(_port, _ssl); #else _logListen(_port, false); #endif @@ -359,8 +358,8 @@ void Listener::initAndListen() { std::shared_ptr<Socket> pnewSock(new Socket(s, from)); #ifdef MONGO_CONFIG_SSL - if (_sslEnabled) { - pnewSock->secureAccepted(_sslManager); + if (_ssl) { + pnewSock->secureAccepted(_ssl); } #endif _accepted(pnewSock, myConnectionNumber); @@ -433,7 +432,7 @@ void Listener::initAndListen() { } #ifdef MONGO_CONFIG_SSL - _logListen(_port, _sslEnabled); + _logListen(_port, _ssl); #else _logListen(_port, false); #endif @@ -569,8 +568,8 @@ void Listener::initAndListen() { std::shared_ptr<Socket> pnewSock(new Socket(s, from)); #ifdef MONGO_CONFIG_SSL - if (_sslEnabled) { - pnewSock->secureAccepted(_sslManager); + if (_ssl) { + pnewSock->secureAccepted(_ssl); } #endif _accepted(pnewSock, myConnectionNumber); @@ -578,9 +577,9 @@ void Listener::initAndListen() { } #endif -void Listener::_logListen(int port, bool sslEnabled) { +void Listener::_logListen(int port, bool ssl) { log() << _name << (_name.size() ? " " : "") << "waiting for connections on port " << port - << (sslEnabled ? " ssl" : ""); + << (ssl ? " ssl" : ""); } void Listener::waitUntilListening() const { diff --git a/src/mongo/util/net/listen.h b/src/mongo/util/net/listen.h index ee744ca4e1c..f0c66a41d60 100644 --- a/src/mongo/util/net/listen.h +++ b/src/mongo/util/net/listen.h @@ -104,8 +104,7 @@ private: virtual void _accepted(const std::shared_ptr<Socket>& psocket, long long connectionId); #ifdef MONGO_CONFIG_SSL - bool _sslEnabled; - SSLManagerInterface* _sslManager; + SSLManagerInterface* _ssl; #endif void _logListen(int port, bool ssl); diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 557bb090d4e..47ffcf83a01 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -356,10 +356,6 @@ void setupFIPS() { } } // namespace -bool SSLEnabled() { - return getSSLGlobalParams().sslMode.load() != SSLParams::SSLModes::SSLMode_disabled; -} - // Global variable indicating if this is a server or a client instance bool isSSLServer = false; @@ -388,7 +384,10 @@ MONGO_INITIALIZER(SetupOpenSSL)(InitializerContext*) { } MONGO_INITIALIZER_WITH_PREREQUISITES(SSLManager, ("SetupOpenSSL"))(InitializerContext*) { - theSSLManager = new SSLManager(sslGlobalParams, isSSLServer); + stdx::lock_guard<SimpleMutex> lck(sslManagerMtx); + if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) { + theSSLManager = new SSLManager(sslGlobalParams, isSSLServer); + } return Status::OK(); } @@ -398,7 +397,10 @@ std::unique_ptr<SSLManagerInterface> SSLManagerInterface::create(const SSLParams } SSLManagerInterface* getSSLManager() { - return theSSLManager; + stdx::lock_guard<SimpleMutex> lck(sslManagerMtx); + if (theSSLManager) + return theSSLManager; + return NULL; } std::string getCertificateSubjectName(X509* cert) { @@ -429,7 +431,7 @@ SSLConnection::SSLConnection(SSL_CTX* context, Socket* sock, const char* initial ssl = SSL_new(context); std::string sslErr = - SSLEnabled() ? getSSLManager()->getSSLErrorMessage(ERR_get_error()) : "SSL is not enabled"; + NULL != getSSLManager() ? getSSLManager()->getSSLErrorMessage(ERR_get_error()) : ""; massert(15861, "Error creating new SSL object " + sslErr, ssl); BIO_new_bio_pair(&internalBIO, BUFFER_SIZE, &networkBIO, BUFFER_SIZE); @@ -505,11 +507,6 @@ SSLManager::SSLManager(const SSLParams& params, bool isServer) _weakValidation(params.sslWeakCertificateValidation), _allowInvalidCertificates(params.sslAllowInvalidCertificates), _allowInvalidHostnames(params.sslAllowInvalidHostnames) { - // If we are running with SSL disabled (sslMode != disabled) then do nothing. - if (params.sslMode.load() == SSLParams::SSLModes::SSLMode_disabled) { - return; - } - if (!_initSynchronousSSLContext(&_clientContext, params, ConnectionDirection::kOutgoing)) { uasserted(16768, "ssl initialization problem"); } @@ -536,7 +533,6 @@ SSLManager::SSLManager(const SSLParams& params, bool isServer) uasserted(16562, "ssl initialization problem"); } - log() << "about to read keyfile from " << params.sslPEMKeyFile; if (!_parseAndValidateCertificate(params.sslPEMKeyFile, &_sslConfiguration.serverSubjectName, &_sslConfiguration.serverCertificateExpirationDate)) { diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h index e3b6deb405f..ef7ad5c403b 100644 --- a/src/mongo/util/net/ssl_manager.h +++ b/src/mongo/util/net/ssl_manager.h @@ -188,8 +188,6 @@ public: SSL* ssl, const std::string& remoteHost) = 0; }; -bool SSLEnabled(); - // Access SSL functions through this instance. SSLManagerInterface* getSSLManager(); |