SERVER-12748 Prevent invalid sslMode and clusterAuthMode combinations

author: Andreas Nilsson <andreas.nilsson@10gen.com> 2014-02-19 10:19:15 -0500
committer: Andreas Nilsson <andreas.nilsson@10gen.com> 2014-02-19 15:34:35 -0500
commit: 7824eac06e596d26165744229c3121af55305534 (patch)
tree: 4c4ac8a9d02c40ab31c64bb80cfe23089a59cf08 /src
parent: 28327ab66e97d3319ca2baf001385a38825da84c (diff)
download: mongo-7824eac06e596d26165744229c3121af55305534.tar.gz
2 files changed, 15 insertions, 2 deletions
diff --git a/src/mongo/db/commands/parameters.cpp b/src/mongo/db/commands/parameters.cpp
index daad441a30a..a1ad06d4f69 100644
--- a/src/mongo/db/commands/parameters.cpp
+++ b/src/mongo/db/commands/parameters.cpp
@@ -354,8 +354,15 @@ namespace mongo {
                 }
 
                 int oldMode = serverGlobalParams.clusterAuthMode.load();
+                int sslMode = sslGlobalParams.sslMode.load();
                 if (str == "sendX509" && 
                     oldMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile) {
+                    if (sslMode == SSLGlobalParams::SSLMode_disabled ||
+                        sslMode == SSLGlobalParams::SSLMode_allowSSL) {
+                        return Status(ErrorCodes::BadValue, mongoutils::str::stream() <<
+                                    "Illegal state transition for clusterAuthMode, " <<
+                                    "need to enable SSL for outgoing connections");
+                    }
                     serverGlobalParams.clusterAuthMode.store
                         (ServerGlobalParams::ClusterAuthMode_sendX509);
 #ifdef MONGO_SSL
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index 8a75a7b36b9..64aa2c2b878 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -201,11 +201,17 @@ namespace mongo {
         if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile ||
             clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
             clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
-            if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_disabled){
+            if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_disabled) {
                 return Status(ErrorCodes::BadValue, "need to enable SSL via the sslMode flag");
+            } 
+        }
+        if (sslGlobalParams.sslMode.load() == SSLGlobalParams::SSLMode_allowSSL) {
+            if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
+                clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
+                    return Status(ErrorCodes::BadValue,
+                                  "cannot have x.509 cluster authentication in allowSSL mode");
             }
         }
-
         return Status::OK();
     }
author	Andreas Nilsson <andreas.nilsson@10gen.com>	2014-02-19 10:19:15 -0500
committer	Andreas Nilsson <andreas.nilsson@10gen.com>	2014-02-19 15:34:35 -0500
commit	7824eac06e596d26165744229c3121af55305534 (patch)
tree	4c4ac8a9d02c40ab31c64bb80cfe23089a59cf08 /src
parent	28327ab66e97d3319ca2baf001385a38825da84c (diff)
download	mongo-7824eac06e596d26165744229c3121af55305534.tar.gz