9 files changed, 62 insertions, 45 deletions

diff --git a/buildscripts/smoke.py b/buildscripts/smoke.py
index 8f5b2a70564..28451cbf7d4 100755
--- a/buildscripts/smoke.py
+++ b/buildscripts/smoke.py
@@ -217,7 +217,8 @@ class mongod(object):
         if self.kwargs.get('use_ssl'):
             argv += ['--sslOnNormalPorts',
                      '--sslPEMKeyFile', 'jstests/libs/server.pem',
-                     '--sslCAFile', 'jstests/libs/ca.pem']
+                     '--sslCAFile', 'jstests/libs/ca.pem',
+                     '--sslWeakCertificateValidation']
         
         print "running " + " ".join(argv)
         self.proc = self._start(buildlogger(argv, is_global=True))
diff --git a/jstests/ssl/ssl_force.js b/jstests/ssl/ssl_force.js
deleted file mode 100644
index 778d7e1fd5a..00000000000
--- a/jstests/ssl/ssl_force.js
+++ /dev/null
@@ -1,26 +0,0 @@
-// Test forcing certificate validation
-// This tests that forcing certification validation will prohibit clients without certificates
-// from connecting.
-port = allocatePorts( 1 )[ 0 ];
-var baseName = "jstests_ssl_ssl_force";
-
-
-var md = startMongod( "--port", port, "--dbpath", "/data/db/" + baseName, "--sslOnNormalPorts",
-                      "--sslPEMKeyFile", "jstests/libs/server.pem",
-                      "--sslCAFile", "jstests/libs/ca.pem",
-                      "--sslForceCertificateValidation");
-
-
-var mongo = runMongoProgram("mongo", "--port", port, "--ssl", 
-                            "--eval", ";");
-
-// 1 is the exit code for failure
-assert(mongo==1);
-
-
-var mongo = runMongoProgram("mongo", "--port", port, "--ssl", 
-                            "--sslPEMKeyFile", "jstests/libs/client.pem",
-                            "--eval", ";");
-
-// 0 is the exit code for success
-assert(mongo==0);
diff --git a/jstests/ssl/ssl_weak.js b/jstests/ssl/ssl_weak.js
new file mode 100644
index 00000000000..8bab70b4d7d
--- /dev/null
+++ b/jstests/ssl/ssl_weak.js
@@ -0,0 +1,42 @@
+// Test forcing certificate validation
+// This tests that forcing certification validation will prohibit clients without certificates
+// from connecting.
+ports = allocatePorts( 2 );
+
+var baseName = "jstests_ssl_ssl_weak";
+
+
+// Test that connecting with no client certificate and --sslWeakCertificateValidation connects
+// successfully.
+var md = startMongod( "--port", ports[0], "--dbpath", "/data/db/" + baseName, "--sslOnNormalPorts",
+                      "--sslPEMKeyFile", "jstests/libs/server.pem",
+                      "--sslCAFile", "jstests/libs/ca.pem",
+                      "--sslWeakCertificateValidation");
+
+var mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", 
+                            "--eval", ";");
+
+// 0 is the exit code for success
+assert(mongo==0);
+
+
+// Test that connecting with a valid client certificate connects successfully.
+mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", 
+                        "--sslPEMKeyFile", "jstests/libs/client.pem",
+                        "--eval", ";");
+
+// 0 is the exit code for success
+assert(mongo==0);
+
+
+// Test that connecting with no client certificate and no --sslWeakCertificateValidation fails to
+// connect.
+var md2 = startMongod( "--port", ports[1], "--dbpath", "/data/db/" + baseName, "--sslOnNormalPorts",
+                       "--sslPEMKeyFile", "jstests/libs/server.pem",
+                       "--sslCAFile", "jstests/libs/ca.pem");
+
+mongo = runMongoProgram("mongo", "--port", ports[1], "--ssl", 
+                        "--eval", ";");
+
+// 1 is the exit code for failure
+assert(mongo==1);
diff --git a/src/mongo/client/dbclient.cpp b/src/mongo/client/dbclient.cpp
index db3955e357c..3ee952bcf8e 100644
--- a/src/mongo/client/dbclient.cpp
+++ b/src/mongo/client/dbclient.cpp
@@ -1290,7 +1290,7 @@ namespace mongo {
                                cmdLine.sslPEMKeyPassword,
                                cmdLine.sslCAFile,
                                cmdLine.sslCRLFile,
-                               cmdLine.sslForceCertificateValidation);
+                               cmdLine.sslWeakCertificateValidation);
         s_sslMgr = new SSLManager(params);
         
 
diff --git a/src/mongo/db/cmdline.cpp b/src/mongo/db/cmdline.cpp
index 40c57e7daf7..bff62741947 100644
--- a/src/mongo/db/cmdline.cpp
+++ b/src/mongo/db/cmdline.cpp
@@ -103,7 +103,7 @@ namespace {
          "Certificate Authority file for SSL")
         ("sslCRLFile", po::value<std::string>(&cmdLine.sslCRLFile),
          "Certificate Revocation List file for SSL")
-        ("sslForceCertificateValidation", "require each client to present a valid certificate")
+        ("sslWeakCertificateValidation", "allow client to connect without presenting a certificate")
 #endif
         ;
         
@@ -406,8 +406,8 @@ namespace {
         }
 
 #ifdef MONGO_SSL
-        if (params.count("sslForceCertificateValidation")) {
-            cmdLine.sslForceCertificateValidation = true;
+        if (params.count("sslWeakCertificateValidation")) {
+            cmdLine.sslWeakCertificateValidation = true;
         }
         if (params.count("sslOnNormalPorts")) {
             cmdLine.sslOnNormalPorts = true;
@@ -415,9 +415,9 @@ namespace {
                 log() << "need sslPEMKeyFile" << endl;
                 return false;
             }
-            if (cmdLine.sslForceCertificateValidation &&
+            if (cmdLine.sslWeakCertificateValidation &&
                 cmdLine.sslCAFile.empty()) {
-                log() << "need sslCAFile with sslForceCertificateValidation" << endl;
+                log() << "need sslCAFile with sslWeakCertificateValidation" << endl;
                 return false;
             }
         }
@@ -425,7 +425,7 @@ namespace {
                  cmdLine.sslPEMKeyPassword.size() ||
                  cmdLine.sslCAFile.size() ||
                  cmdLine.sslCRLFile.size() ||
-                 cmdLine.sslForceCertificateValidation) {
+                 cmdLine.sslWeakCertificateValidation) {
             log() << "need to enable sslOnNormalPorts" << endl;
             return false;
         }
diff --git a/src/mongo/db/cmdline.h b/src/mongo/db/cmdline.h
index 9e7b7d31369..a2885477fd7 100644
--- a/src/mongo/db/cmdline.h
+++ b/src/mongo/db/cmdline.h
@@ -137,7 +137,7 @@ namespace mongo {
         std::string sslPEMKeyPassword;   // --sslPEMKeyPassword
         std::string sslCAFile;      // --sslCAFile
         std::string sslCRLFile;     // --sslCRLFile
-        bool sslForceCertificateValidation;
+        bool sslWeakCertificateValidation;
 #endif
 
         /**
diff --git a/src/mongo/util/net/listen.cpp b/src/mongo/util/net/listen.cpp
index abf23062735..0ff9dfe8964 100644
--- a/src/mongo/util/net/listen.cpp
+++ b/src/mongo/util/net/listen.cpp
@@ -102,7 +102,7 @@ namespace mongo {
                                    cmdLine.sslPEMKeyPassword,
                                    cmdLine.sslCAFile,
                                    cmdLine.sslCRLFile,
-                                   cmdLine.sslForceCertificateValidation);
+                                   cmdLine.sslWeakCertificateValidation);
             _ssl = new SSLManager(params);
         }
 #endif
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index a177e6fad56..283e6789b55 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -105,7 +105,7 @@ namespace mongo {
 
     SSLManager::SSLManager(const SSLParams& params) : 
         _validateCertificates(false),
-        _forceValidation(params.forceCertificateValidation) {
+        _weakValidation(params.weakCertificateValidation) {
         SSL_library_init();
         SSL_load_error_strings();
         ERR_load_crypto_strings();
@@ -259,12 +259,12 @@ namespace mongo {
         X509* cert = SSL_get_peer_certificate(ssl);
 
         if (cert == NULL) { // no certificate presented by peer
-            if (_forceValidation) {
-                error() << "no SSL certificate provided by peer; connection rejected" << endl;
-                throw SocketException(SocketException::CONNECT_ERROR, "");
+            if (_weakValidation) {
+                error() << "no SSL certificate provided by peer" << endl;
             }
             else {
-                error() << "no SSL certificate provided by peer" << endl;
+                error() << "no SSL certificate provided by peer; connection rejected" << endl;
+                throw SocketException(SocketException::CONNECT_ERROR, "");
             }
             return;
         }
diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h
index 4f79960f958..354f5f0abb4 100644
--- a/src/mongo/util/net/ssl_manager.h
+++ b/src/mongo/util/net/ssl_manager.h
@@ -31,18 +31,18 @@ namespace mongo {
                   const std::string& pempwd,
                   const std::string& cafile = "",
                   const std::string& crlfile = "",
-                  bool forceCertificateValidation = false) :
+                  bool weakCertificateValidation = false) :
             pemfile(pemfile),
             pempwd(pempwd),
             cafile(cafile),
             crlfile(crlfile),
-            forceCertificateValidation(forceCertificateValidation) {};
+            weakCertificateValidation(weakCertificateValidation) {};
 
         std::string pemfile;
         std::string pempwd;
         std::string cafile;
         std::string crlfile;
-        bool forceCertificateValidation;
+        bool weakCertificateValidation;
     };
 
     class SSLManager {
@@ -80,7 +80,7 @@ namespace mongo {
         SSL_CTX* _context;
         std::string _password;
         bool _validateCertificates;
-        bool _forceValidation;
+        bool _weakValidation;
         /**
          * creates an SSL context to be used for this file descriptor.
          * caller must SSL_free it.