diff options
-rw-r--r-- | jstests/ssl/ssl_crl.js | 4 | ||||
-rw-r--r-- | jstests/ssl/ssl_weak.js | 6 | ||||
-rw-r--r-- | jstests/ssl/upgrade_to_ssl.js | 3 | ||||
-rw-r--r-- | src/mongo/shell/shell_options.cpp | 9 | ||||
-rw-r--r-- | src/mongo/shell/shell_options.h | 2 | ||||
-rw-r--r-- | src/mongo/shell/shell_options_init.cpp | 5 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 12 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 6 |
8 files changed, 41 insertions, 6 deletions
diff --git a/jstests/ssl/ssl_crl.js b/jstests/ssl/ssl_crl.js index 0500a73ecbc..0d4bf0f4200 100644 --- a/jstests/ssl/ssl_crl.js +++ b/jstests/ssl/ssl_crl.js @@ -18,7 +18,7 @@ var md = startMongod("--port", port1, "--dbpath", "--sslCRLFile", "jstests/libs/crl.pem"); -var mongo = runMongoProgram("mongo", "--port", port1, "--ssl", +var mongo = runMongoProgram("mongo", "--port", port1, "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client.pem", "--eval", ";"); @@ -34,7 +34,7 @@ md = startMongod("--port", port2, "--dbpath", MongoRunner.dataPath + baseName + "--sslCRLFile", "jstests/libs/crl_expired.pem"); -mongo = runMongoProgram("mongo", "--port", port2, "--ssl", +mongo = runMongoProgram("mongo", "--port", port2, "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client.pem", "--eval", ";"); diff --git a/jstests/ssl/ssl_weak.js b/jstests/ssl/ssl_weak.js index d18500842a2..25e2e442549 100644 --- a/jstests/ssl/ssl_weak.js +++ b/jstests/ssl/ssl_weak.js @@ -14,14 +14,14 @@ var md = startMongod( "--port", ports[0], "--dbpath", MongoRunner.dataPath + bas "--sslCAFile", "jstests/libs/ca.pem", "--sslAllowConnectionsWithoutCertificates"); -var mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", +var mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); // 0 is the exit code for success assert(mongo==0); // Test that connecting with a valid client certificate connects successfully. -mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", +mongo = runMongoProgram("mongo", "--port", ports[0], "--ssl", "--sslAllowInvalidCertificates", "--sslPEMKeyFile", "jstests/libs/client.pem", "--eval", ";"); @@ -36,7 +36,7 @@ var md2 = startMongod( "--port", ports[1], "--dbpath", MongoRunner.dataPath + ba "--sslPEMKeyFile", "jstests/libs/server.pem", "--sslCAFile", "jstests/libs/ca.pem"); -mongo = runMongoProgram("mongo", "--port", ports[1], "--ssl", +mongo = runMongoProgram("mongo", "--port", ports[1], "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); // 1 is the exit code for failure diff --git a/jstests/ssl/upgrade_to_ssl.js b/jstests/ssl/upgrade_to_ssl.js index 3b179cec613..e43162246a2 100644 --- a/jstests/ssl/upgrade_to_ssl.js +++ b/jstests/ssl/upgrade_to_ssl.js @@ -39,5 +39,6 @@ rstConn3.getDB("test").a.insert({a:3, str:"GREENEGGSANDHAM"}); assert.eq(3, rstConn3.getDB("test").a.count(), "Error interacting with replSet"); // Check that ssl connections can be made -var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], "--ssl", "--eval", ";"); +var canConnectSSL = runMongoProgram("mongo", "--port", rst.ports[0], + "--ssl", "--sslAllowInvalidCertificates", "--eval", ";"); assert.eq(0, canConnectSSL, "SSL Connection attempt failed when it should succeed"); diff --git a/src/mongo/shell/shell_options.cpp b/src/mongo/shell/shell_options.cpp index 906b0b8a106..117661c2f00 100644 --- a/src/mongo/shell/shell_options.cpp +++ b/src/mongo/shell/shell_options.cpp @@ -290,4 +290,13 @@ namespace mongo { return Status::OK(); } + Status validateMongoShellOptions(const moe::Environment& params) { +#ifdef MONGO_SSL + Status ret = validateSSLMongoShellOptions(params); + if (!ret.isOK()) { + return ret; + } +#endif + return Status::OK(); + } } diff --git a/src/mongo/shell/shell_options.h b/src/mongo/shell/shell_options.h index 1d4a74a8f34..4652d965bbd 100644 --- a/src/mongo/shell/shell_options.h +++ b/src/mongo/shell/shell_options.h @@ -88,4 +88,6 @@ namespace mongo { Status storeMongoShellOptions(const moe::Environment& params, const std::vector<std::string>& args); + + Status validateMongoShellOptions(const moe::Environment& params); } diff --git a/src/mongo/shell/shell_options_init.cpp b/src/mongo/shell/shell_options_init.cpp index 942ebaf0810..bfbdf8188e2 100644 --- a/src/mongo/shell/shell_options_init.cpp +++ b/src/mongo/shell/shell_options_init.cpp @@ -44,6 +44,11 @@ namespace mongo { if (!ret.isOK()) { return ret; } + ret = validateMongoShellOptions(moe::startupOptionsParsed); + if (!ret.isOK()) { + return ret; + } + return Status::OK(); } diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index 6e83c17e87d..e786cb63f38 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -329,4 +329,16 @@ namespace mongo { return Status::OK(); } + Status validateSSLMongoShellOptions(const moe::Environment& params) { + // Users must specify either a CAFile or allowInvalidCertificates if ssl=true. + if (params.count("ssl") && + params["ssl"].as<bool>() == true && + !params.count("ssl.CAFile") && + !params.count("ssl.allowInvalidCertificates")) { + return Status(ErrorCodes::BadValue, + "need to either provide sslCAFile or specify sslAllowInvalidCertificates"); + } + return Status::OK(); + } + } // namespace mongo diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index 3fd9d2abeb7..78ee2b899bf 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -98,4 +98,10 @@ namespace mongo { Status validateSSLServerOptions(const moe::Environment& params); Status storeSSLClientOptions(const moe::Environment& params); + + /** + * Used by the Mongo shell to validate that the SSL options passed are acceptable and + * do not conflict with one another. + */ + Status validateSSLMongoShellOptions(const moe::Environment& params); } |