diff options
-rw-r--r-- | src/mongo/util/net/message_port.cpp | 15 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 12 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 2 |
3 files changed, 28 insertions, 1 deletions
diff --git a/src/mongo/util/net/message_port.cpp b/src/mongo/util/net/message_port.cpp index 505f1d0ef35..0f4f543087e 100644 --- a/src/mongo/util/net/message_port.cpp +++ b/src/mongo/util/net/message_port.cpp @@ -134,9 +134,22 @@ bool MessagingPort::recv(Message& m) { goto again; } + + auto sslMode = sslGlobalParams.sslMode.load(); + uassert(17189, "The server is configured to only allow SSL connections", - sslGlobalParams.sslMode.load() != SSLParams::SSLMode_requireSSL); + sslMode != SSLParams::SSLMode_requireSSL); + + // For users attempting to upgrade their applications from no SSL to SSL, provide + // information about connections that still aren't using SSL (but only once per + // connection) + if (!sslGlobalParams.disableNonSSLConnectionLogging && + (sslMode == SSLParams::SSLMode_preferSSL)) { + LOG(0) << "SSL mode is set to 'preferred' and connection " << _connectionId + << " to " << remote() << " is not using SSL."; + } + #endif // MONGO_CONFIG_SSL } if (static_cast<size_t>(len) < sizeof(header) || diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 75aaba0394d..4b80ad3cfab 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -43,6 +43,7 @@ #include "mongo/base/init.h" #include "mongo/bson/bsonobjbuilder.h" #include "mongo/config.h" +#include "mongo/db/server_parameters.h" #include "mongo/platform/atomic_word.h" #include "mongo/stdx/memory.h" #include "mongo/transport/session.h" @@ -73,6 +74,7 @@ #endif namespace mongo { + namespace { const transport::Session::Decoration<SSLPeerInfo> peerInfoForSession = @@ -90,6 +92,16 @@ const SSLParams& getSSLGlobalParams() { return sslGlobalParams; } +/** + * Configurable via --setParameter disableNonSSLConnectionLogging=true. If false (default) + * if the sslMode is set to preferSSL, we will log connections that are not using SSL. + * If true, such log messages will be suppressed. + */ +ExportedServerParameter<bool, ServerParameterType::kStartupOnly> + disableNonSSLConnectionLoggingParameter(ServerParameterSet::getGlobal(), + "disableNonSSLConnectionLogging", + &sslGlobalParams.disableNonSSLConnectionLogging); + #ifdef MONGO_CONFIG_SSL // Old copies of OpenSSL will not have constants to disable protocols they don't support. // Define them to values we can OR together safely to generically disable these protocols across diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index ef845c5207f..aef2860093b 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -57,6 +57,8 @@ struct SSLParams { bool sslFIPSMode = false; // --sslFIPSMode bool sslAllowInvalidCertificates = false; // --sslAllowInvalidCertificates bool sslAllowInvalidHostnames = false; // --sslAllowInvalidHostnames + bool disableNonSSLConnectionLogging = + false; // --setParameter disableNonSSLConnectionLogging=true SSLParams() { sslMode.store(SSLMode_disabled); |