summaryrefslogtreecommitdiff
path: root/src/mongo/util/net/ssl_options.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'src/mongo/util/net/ssl_options.cpp')
-rw-r--r--src/mongo/util/net/ssl_options.cpp626
1 files changed, 317 insertions, 309 deletions
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index a8cf9646bef..881718179a4 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -41,348 +41,356 @@
namespace mongo {
- using std::string;
-
- Status addSSLServerOptions(moe::OptionSection* options) {
- options->addOptionChaining("net.ssl.sslOnNormalPorts", "sslOnNormalPorts", moe::Switch,
- "use ssl on configured ports")
- .setSources(moe::SourceAllLegacy)
- .incompatibleWith("net.ssl.mode");
-
- options->addOptionChaining("net.ssl.mode", "sslMode", moe::String,
- "set the SSL operation mode (disabled|allowSSL|preferSSL|requireSSL)");
-
- options->addOptionChaining("net.ssl.PEMKeyFile", "sslPEMKeyFile", moe::String,
- "PEM file for ssl");
-
- options->addOptionChaining("net.ssl.PEMKeyPassword", "sslPEMKeyPassword", moe::String,
- "PEM file password")
- .setImplicit(moe::Value(std::string("")));
-
- options->addOptionChaining("net.ssl.clusterFile", "sslClusterFile", moe::String,
- "Key file for internal SSL authentication");
-
- options->addOptionChaining("net.ssl.clusterPassword", "sslClusterPassword", moe::String,
- "Internal authentication key file password")
- .setImplicit(moe::Value(std::string("")));
-
- options->addOptionChaining("net.ssl.CAFile", "sslCAFile", moe::String,
- "Certificate Authority file for SSL");
-
- options->addOptionChaining("net.ssl.CRLFile", "sslCRLFile", moe::String,
- "Certificate Revocation List file for SSL");
-
- options->addOptionChaining("net.ssl.sslCipherConfig", "sslCipherConfig", moe::String,
- "OpenSSL cipher configuration string")
- .hidden();
-
- options->addOptionChaining("net.ssl.disabledProtocols", "sslDisabledProtocols", moe::String,
- "Comma separated list of disabled protocols")
- .hidden();
-
- options->addOptionChaining("net.ssl.weakCertificateValidation",
- "sslWeakCertificateValidation", moe::Switch, "allow client to connect without "
- "presenting a certificate");
-
- // Alias for --sslWeakCertificateValidation.
- options->addOptionChaining("net.ssl.allowConnectionsWithoutCertificates",
- "sslAllowConnectionsWithoutCertificates", moe::Switch,
- "allow client to connect without presenting a certificate");
-
- options->addOptionChaining("net.ssl.allowInvalidHostnames", "sslAllowInvalidHostnames",
- moe::Switch, "Allow server certificates to provide non-matching hostnames");
-
- options->addOptionChaining("net.ssl.allowInvalidCertificates", "sslAllowInvalidCertificates",
- moe::Switch, "allow connections to servers with invalid certificates");
-
- options->addOptionChaining("net.ssl.FIPSMode", "sslFIPSMode", moe::Switch,
- "activate FIPS 140-2 mode at startup");
-
- return Status::OK();
- }
-
- Status addSSLClientOptions(moe::OptionSection* options) {
- options->addOptionChaining("ssl", "ssl", moe::Switch, "use SSL for all connections");
-
- options->addOptionChaining("ssl.CAFile", "sslCAFile", moe::String,
- "Certificate Authority file for SSL")
- .requires("ssl");
-
- options->addOptionChaining("ssl.PEMKeyFile", "sslPEMKeyFile", moe::String,
- "PEM certificate/key file for SSL")
- .requires("ssl");
-
- options->addOptionChaining("ssl.PEMKeyPassword", "sslPEMKeyPassword", moe::String,
- "password for key in PEM file for SSL")
- .requires("ssl");
-
- options->addOptionChaining("ssl.CRLFile", "sslCRLFile", moe::String,
- "Certificate Revocation List file for SSL")
- .requires("ssl")
- .requires("ssl.CAFile");
-
- options->addOptionChaining("net.ssl.disabledProtocols", "sslDisabledProtocols", moe::String,
- "Comma separated list of disabled protocols")
- .requires("ssl")
- .hidden();
-
- options->addOptionChaining("net.ssl.allowInvalidHostnames", "sslAllowInvalidHostnames",
- moe::Switch, "allow connections to servers with non-matching hostnames")
- .requires("ssl");
-
- options->addOptionChaining("ssl.allowInvalidCertificates", "sslAllowInvalidCertificates",
- moe::Switch, "allow connections to servers with invalid certificates")
- .requires("ssl");
-
- options->addOptionChaining("ssl.FIPSMode", "sslFIPSMode", moe::Switch,
- "activate FIPS 140-2 mode at startup")
- .requires("ssl");
-
- return Status::OK();
- }
-
- Status validateSSLServerOptions(const moe::Environment& params) {
+using std::string;
+
+Status addSSLServerOptions(moe::OptionSection* options) {
+ options->addOptionChaining("net.ssl.sslOnNormalPorts",
+ "sslOnNormalPorts",
+ moe::Switch,
+ "use ssl on configured ports")
+ .setSources(moe::SourceAllLegacy)
+ .incompatibleWith("net.ssl.mode");
+
+ options->addOptionChaining(
+ "net.ssl.mode",
+ "sslMode",
+ moe::String,
+ "set the SSL operation mode (disabled|allowSSL|preferSSL|requireSSL)");
+
+ options->addOptionChaining(
+ "net.ssl.PEMKeyFile", "sslPEMKeyFile", moe::String, "PEM file for ssl");
+
+ options->addOptionChaining(
+ "net.ssl.PEMKeyPassword", "sslPEMKeyPassword", moe::String, "PEM file password")
+ .setImplicit(moe::Value(std::string("")));
+
+ options->addOptionChaining("net.ssl.clusterFile",
+ "sslClusterFile",
+ moe::String,
+ "Key file for internal SSL authentication");
+
+ options->addOptionChaining("net.ssl.clusterPassword",
+ "sslClusterPassword",
+ moe::String,
+ "Internal authentication key file password")
+ .setImplicit(moe::Value(std::string("")));
+
+ options->addOptionChaining(
+ "net.ssl.CAFile", "sslCAFile", moe::String, "Certificate Authority file for SSL");
+
+ options->addOptionChaining(
+ "net.ssl.CRLFile", "sslCRLFile", moe::String, "Certificate Revocation List file for SSL");
+
+ options->addOptionChaining("net.ssl.sslCipherConfig",
+ "sslCipherConfig",
+ moe::String,
+ "OpenSSL cipher configuration string").hidden();
+
+ options->addOptionChaining("net.ssl.disabledProtocols",
+ "sslDisabledProtocols",
+ moe::String,
+ "Comma separated list of disabled protocols").hidden();
+
+ options->addOptionChaining("net.ssl.weakCertificateValidation",
+ "sslWeakCertificateValidation",
+ moe::Switch,
+ "allow client to connect without "
+ "presenting a certificate");
+
+ // Alias for --sslWeakCertificateValidation.
+ options->addOptionChaining("net.ssl.allowConnectionsWithoutCertificates",
+ "sslAllowConnectionsWithoutCertificates",
+ moe::Switch,
+ "allow client to connect without presenting a certificate");
+
+ options->addOptionChaining("net.ssl.allowInvalidHostnames",
+ "sslAllowInvalidHostnames",
+ moe::Switch,
+ "Allow server certificates to provide non-matching hostnames");
+
+ options->addOptionChaining("net.ssl.allowInvalidCertificates",
+ "sslAllowInvalidCertificates",
+ moe::Switch,
+ "allow connections to servers with invalid certificates");
+
+ options->addOptionChaining(
+ "net.ssl.FIPSMode", "sslFIPSMode", moe::Switch, "activate FIPS 140-2 mode at startup");
+
+ return Status::OK();
+}
+
+Status addSSLClientOptions(moe::OptionSection* options) {
+ options->addOptionChaining("ssl", "ssl", moe::Switch, "use SSL for all connections");
+
+ options->addOptionChaining(
+ "ssl.CAFile", "sslCAFile", moe::String, "Certificate Authority file for SSL")
+ .requires("ssl");
+
+ options->addOptionChaining(
+ "ssl.PEMKeyFile", "sslPEMKeyFile", moe::String, "PEM certificate/key file for SSL")
+ .requires("ssl");
+
+ options->addOptionChaining("ssl.PEMKeyPassword",
+ "sslPEMKeyPassword",
+ moe::String,
+ "password for key in PEM file for SSL").requires("ssl");
+
+ options->addOptionChaining("ssl.CRLFile",
+ "sslCRLFile",
+ moe::String,
+ "Certificate Revocation List file for SSL")
+ .requires("ssl")
+ .requires("ssl.CAFile");
+
+ options->addOptionChaining("net.ssl.disabledProtocols",
+ "sslDisabledProtocols",
+ moe::String,
+ "Comma separated list of disabled protocols")
+ .requires("ssl")
+ .hidden();
+
+ options->addOptionChaining("net.ssl.allowInvalidHostnames",
+ "sslAllowInvalidHostnames",
+ moe::Switch,
+ "allow connections to servers with non-matching hostnames")
+ .requires("ssl");
+
+ options->addOptionChaining("ssl.allowInvalidCertificates",
+ "sslAllowInvalidCertificates",
+ moe::Switch,
+ "allow connections to servers with invalid certificates")
+ .requires("ssl");
+
+ options->addOptionChaining(
+ "ssl.FIPSMode", "sslFIPSMode", moe::Switch, "activate FIPS 140-2 mode at startup")
+ .requires("ssl");
+
+ return Status::OK();
+}
+
+Status validateSSLServerOptions(const moe::Environment& params) {
#ifdef _WIN32
- if (params.count("install") || params.count("reinstall")) {
- if (params.count("net.ssl.PEMKeyFile") &&
- !boost::filesystem::path(params["net.ssl.PEMKeyFile"].as<string>()).is_absolute()) {
- return Status(ErrorCodes::BadValue,
- "PEMKeyFile requires an absolute file path with Windows services");
- }
-
- if (params.count("net.ssl.clusterFile") &&
- !boost::filesystem::path(
- params["net.ssl.clusterFile"].as<string>()).is_absolute()) {
- return Status(ErrorCodes::BadValue,
- "clusterFile requires an absolute file path with Windows services");
- }
-
- if (params.count("net.ssl.CAFile") &&
- !boost::filesystem::path(params["net.ssl.CAFile"].as<string>()).is_absolute()) {
- return Status(ErrorCodes::BadValue,
- "CAFile requires an absolute file path with Windows services");
- }
-
- if (params.count("net.ssl.CRLFile") &&
- !boost::filesystem::path(params["net.ssl.CRLFile"].as<string>()).is_absolute()) {
- return Status(ErrorCodes::BadValue,
- "CRLFile requires an absolute file path with Windows services");
- }
-
+ if (params.count("install") || params.count("reinstall")) {
+ if (params.count("net.ssl.PEMKeyFile") &&
+ !boost::filesystem::path(params["net.ssl.PEMKeyFile"].as<string>()).is_absolute()) {
+ return Status(ErrorCodes::BadValue,
+ "PEMKeyFile requires an absolute file path with Windows services");
}
-#endif
- return Status::OK();
- }
-
- Status canonicalizeSSLServerOptions(moe::Environment* params) {
+ if (params.count("net.ssl.clusterFile") &&
+ !boost::filesystem::path(params["net.ssl.clusterFile"].as<string>()).is_absolute()) {
+ return Status(ErrorCodes::BadValue,
+ "clusterFile requires an absolute file path with Windows services");
+ }
- if (params->count("net.ssl.sslOnNormalPorts") &&
- (*params)["net.ssl.sslOnNormalPorts"].as<bool>() == true) {
- Status ret = params->set("net.ssl.mode", moe::Value(std::string("requireSSL")));
- if (!ret.isOK()) {
- return ret;
- }
- ret = params->remove("net.ssl.sslOnNormalPorts");
- if (!ret.isOK()) {
- return ret;
- }
+ if (params.count("net.ssl.CAFile") &&
+ !boost::filesystem::path(params["net.ssl.CAFile"].as<string>()).is_absolute()) {
+ return Status(ErrorCodes::BadValue,
+ "CAFile requires an absolute file path with Windows services");
}
- return Status::OK();
+ if (params.count("net.ssl.CRLFile") &&
+ !boost::filesystem::path(params["net.ssl.CRLFile"].as<string>()).is_absolute()) {
+ return Status(ErrorCodes::BadValue,
+ "CRLFile requires an absolute file path with Windows services");
+ }
}
+#endif
- Status storeSSLServerOptions(const moe::Environment& params) {
+ return Status::OK();
+}
- if (params.count("net.ssl.mode")) {
- std::string sslModeParam = params["net.ssl.mode"].as<string>();
- if (sslModeParam == "disabled") {
- sslGlobalParams.sslMode.store(SSLParams::SSLMode_disabled);
- }
- else if (sslModeParam == "allowSSL") {
- sslGlobalParams.sslMode.store(SSLParams::SSLMode_allowSSL);
- }
- else if (sslModeParam == "preferSSL") {
- sslGlobalParams.sslMode.store(SSLParams::SSLMode_preferSSL);
- }
- else if (sslModeParam == "requireSSL") {
- sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL);
- }
- else {
- return Status(ErrorCodes::BadValue,
- "unsupported value for sslMode " + sslModeParam );
- }
+Status canonicalizeSSLServerOptions(moe::Environment* params) {
+ if (params->count("net.ssl.sslOnNormalPorts") &&
+ (*params)["net.ssl.sslOnNormalPorts"].as<bool>() == true) {
+ Status ret = params->set("net.ssl.mode", moe::Value(std::string("requireSSL")));
+ if (!ret.isOK()) {
+ return ret;
}
-
- if (params.count("net.ssl.PEMKeyFile")) {
- sslGlobalParams.sslPEMKeyFile = boost::filesystem::absolute(
- params["net.ssl.PEMKeyFile"].as<string>()).generic_string();
+ ret = params->remove("net.ssl.sslOnNormalPorts");
+ if (!ret.isOK()) {
+ return ret;
}
+ }
- if (params.count("net.ssl.PEMKeyPassword")) {
- sslGlobalParams.sslPEMKeyPassword = params["net.ssl.PEMKeyPassword"].as<string>();
+ return Status::OK();
+}
+
+Status storeSSLServerOptions(const moe::Environment& params) {
+ if (params.count("net.ssl.mode")) {
+ std::string sslModeParam = params["net.ssl.mode"].as<string>();
+ if (sslModeParam == "disabled") {
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_disabled);
+ } else if (sslModeParam == "allowSSL") {
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_allowSSL);
+ } else if (sslModeParam == "preferSSL") {
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_preferSSL);
+ } else if (sslModeParam == "requireSSL") {
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL);
+ } else {
+ return Status(ErrorCodes::BadValue, "unsupported value for sslMode " + sslModeParam);
}
+ }
- if (params.count("net.ssl.clusterFile")) {
- sslGlobalParams.sslClusterFile =
- boost::filesystem::absolute(
- params["net.ssl.clusterFile"].as<string>()).generic_string();
- }
+ if (params.count("net.ssl.PEMKeyFile")) {
+ sslGlobalParams.sslPEMKeyFile =
+ boost::filesystem::absolute(params["net.ssl.PEMKeyFile"].as<string>()).generic_string();
+ }
- if (params.count("net.ssl.clusterPassword")) {
- sslGlobalParams.sslClusterPassword = params["net.ssl.clusterPassword"].as<string>();
- }
+ if (params.count("net.ssl.PEMKeyPassword")) {
+ sslGlobalParams.sslPEMKeyPassword = params["net.ssl.PEMKeyPassword"].as<string>();
+ }
- if (params.count("net.ssl.CAFile")) {
- sslGlobalParams.sslCAFile = boost::filesystem::absolute(
- params["net.ssl.CAFile"].as<std::string>()).generic_string();
- }
+ if (params.count("net.ssl.clusterFile")) {
+ sslGlobalParams.sslClusterFile =
+ boost::filesystem::absolute(params["net.ssl.clusterFile"].as<string>())
+ .generic_string();
+ }
- if (params.count("net.ssl.CRLFile")) {
- sslGlobalParams.sslCRLFile = boost::filesystem::absolute(
- params["net.ssl.CRLFile"].as<std::string>()).generic_string();
- }
+ if (params.count("net.ssl.clusterPassword")) {
+ sslGlobalParams.sslClusterPassword = params["net.ssl.clusterPassword"].as<string>();
+ }
- if (params.count("net.ssl.sslCipherConfig")) {
- sslGlobalParams.sslCipherConfig = params["net.ssl.sslCipherConfig"].as<string>();
- }
+ if (params.count("net.ssl.CAFile")) {
+ sslGlobalParams.sslCAFile =
+ boost::filesystem::absolute(params["net.ssl.CAFile"].as<std::string>())
+ .generic_string();
+ }
- if (params.count("net.ssl.disabledProtocols")) {
- std::vector<std::string> tokens = StringSplitter::split(
- params["net.ssl.disabledProtocols"].as<string>(), ",");
-
- const std::map<std::string, SSLParams::Protocols> validConfigs {
- {"noTLS1_0", SSLParams::Protocols::TLS1_0},
- {"noTLS1_1", SSLParams::Protocols::TLS1_1},
- {"noTLS1_2", SSLParams::Protocols::TLS1_2}
- };
- for (const std::string& token : tokens) {
- auto mappedToken = validConfigs.find(token);
- if (mappedToken != validConfigs.end()) {
- sslGlobalParams.sslDisabledProtocols.push_back(mappedToken->second);
- } else {
- return Status(ErrorCodes::BadValue,
- "Unrecognized disabledProtocols '" + token +"'");
- }
- }
- }
+ if (params.count("net.ssl.CRLFile")) {
+ sslGlobalParams.sslCRLFile =
+ boost::filesystem::absolute(params["net.ssl.CRLFile"].as<std::string>())
+ .generic_string();
+ }
- if (params.count("net.ssl.weakCertificateValidation")) {
- sslGlobalParams.sslWeakCertificateValidation =
- params["net.ssl.weakCertificateValidation"].as<bool>();
- }
- else if (params.count("net.ssl.allowConnectionsWithoutCertificates")) {
- sslGlobalParams.sslWeakCertificateValidation =
- params["net.ssl.allowConnectionsWithoutCertificates"].as<bool>();
- }
- if (params.count("net.ssl.allowInvalidHostnames")) {
- sslGlobalParams.sslAllowInvalidHostnames =
- params["net.ssl.allowInvalidHostnames"].as<bool>();
- }
- if (params.count("net.ssl.allowInvalidCertificates")) {
- sslGlobalParams.sslAllowInvalidCertificates =
- params["net.ssl.allowInvalidCertificates"].as<bool>();
- }
- if (params.count("net.ssl.FIPSMode")) {
- sslGlobalParams.sslFIPSMode = params["net.ssl.FIPSMode"].as<bool>();
- }
+ if (params.count("net.ssl.sslCipherConfig")) {
+ sslGlobalParams.sslCipherConfig = params["net.ssl.sslCipherConfig"].as<string>();
+ }
- int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
- if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) {
- if (sslGlobalParams.sslPEMKeyFile.size() == 0) {
- return Status(ErrorCodes::BadValue,
- "need sslPEMKeyFile when SSL is enabled");
- }
- if (sslGlobalParams.sslWeakCertificateValidation &&
- sslGlobalParams.sslCAFile.empty()) {
+ if (params.count("net.ssl.disabledProtocols")) {
+ std::vector<std::string> tokens =
+ StringSplitter::split(params["net.ssl.disabledProtocols"].as<string>(), ",");
+
+ const std::map<std::string, SSLParams::Protocols> validConfigs{
+ {"noTLS1_0", SSLParams::Protocols::TLS1_0},
+ {"noTLS1_1", SSLParams::Protocols::TLS1_1},
+ {"noTLS1_2", SSLParams::Protocols::TLS1_2}};
+ for (const std::string& token : tokens) {
+ auto mappedToken = validConfigs.find(token);
+ if (mappedToken != validConfigs.end()) {
+ sslGlobalParams.sslDisabledProtocols.push_back(mappedToken->second);
+ } else {
return Status(ErrorCodes::BadValue,
- "need sslCAFile with sslWeakCertificateValidation");
- }
- if (!sslGlobalParams.sslCRLFile.empty() &&
- sslGlobalParams.sslCAFile.empty()) {
- return Status(ErrorCodes::BadValue, "need sslCAFile with sslCRLFile");
- }
- std::string sslCANotFoundError("No SSL certificate validation can be performed since"
- " no CA file has been provided; please specify an"
- " sslCAFile parameter");
-
- if (sslGlobalParams.sslCAFile.empty()) {
- if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
- return Status(ErrorCodes::BadValue, sslCANotFoundError);
- }
- warning() << sslCANotFoundError;
+ "Unrecognized disabledProtocols '" + token + "'");
}
}
- else if (sslGlobalParams.sslPEMKeyFile.size() ||
- sslGlobalParams.sslPEMKeyPassword.size() ||
- sslGlobalParams.sslClusterFile.size() ||
- sslGlobalParams.sslClusterPassword.size() ||
- sslGlobalParams.sslCAFile.size() ||
- sslGlobalParams.sslCRLFile.size() ||
- sslGlobalParams.sslCipherConfig.size() ||
- sslGlobalParams.sslDisabledProtocols.size() ||
- sslGlobalParams.sslWeakCertificateValidation ||
- sslGlobalParams.sslFIPSMode) {
- return Status(ErrorCodes::BadValue,
- "need to enable SSL via the sslMode flag when "
- "using SSL configuration parameters");
- }
- if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile ||
- clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
- clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
- if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_disabled) {
- return Status(ErrorCodes::BadValue, "need to enable SSL via the sslMode flag");
- }
- }
- if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_allowSSL) {
- if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
- clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
- return Status(ErrorCodes::BadValue,
- "cannot have x.509 cluster authentication in allowSSL mode");
- }
- }
- return Status::OK();
}
- Status storeSSLClientOptions(const moe::Environment& params) {
- if (params.count("ssl") && params["ssl"].as<bool>() == true) {
- sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL);
- }
- if (params.count("ssl.PEMKeyFile")) {
- sslGlobalParams.sslPEMKeyFile = params["ssl.PEMKeyFile"].as<std::string>();
- }
- if (params.count("ssl.PEMKeyPassword")) {
- sslGlobalParams.sslPEMKeyPassword = params["ssl.PEMKeyPassword"].as<std::string>();
- }
- if (params.count("ssl.CAFile")) {
- sslGlobalParams.sslCAFile = params["ssl.CAFile"].as<std::string>();
+ if (params.count("net.ssl.weakCertificateValidation")) {
+ sslGlobalParams.sslWeakCertificateValidation =
+ params["net.ssl.weakCertificateValidation"].as<bool>();
+ } else if (params.count("net.ssl.allowConnectionsWithoutCertificates")) {
+ sslGlobalParams.sslWeakCertificateValidation =
+ params["net.ssl.allowConnectionsWithoutCertificates"].as<bool>();
+ }
+ if (params.count("net.ssl.allowInvalidHostnames")) {
+ sslGlobalParams.sslAllowInvalidHostnames =
+ params["net.ssl.allowInvalidHostnames"].as<bool>();
+ }
+ if (params.count("net.ssl.allowInvalidCertificates")) {
+ sslGlobalParams.sslAllowInvalidCertificates =
+ params["net.ssl.allowInvalidCertificates"].as<bool>();
+ }
+ if (params.count("net.ssl.FIPSMode")) {
+ sslGlobalParams.sslFIPSMode = params["net.ssl.FIPSMode"].as<bool>();
+ }
+
+ int clusterAuthMode = serverGlobalParams.clusterAuthMode.load();
+ if (sslGlobalParams.sslMode.load() != SSLParams::SSLMode_disabled) {
+ if (sslGlobalParams.sslPEMKeyFile.size() == 0) {
+ return Status(ErrorCodes::BadValue, "need sslPEMKeyFile when SSL is enabled");
}
- if (params.count("ssl.CRLFile")) {
- sslGlobalParams.sslCRLFile = params["ssl.CRLFile"].as<std::string>();
+ if (sslGlobalParams.sslWeakCertificateValidation && sslGlobalParams.sslCAFile.empty()) {
+ return Status(ErrorCodes::BadValue, "need sslCAFile with sslWeakCertificateValidation");
}
- if (params.count("net.ssl.allowInvalidHostnames")) {
- sslGlobalParams.sslAllowInvalidHostnames =
- params["net.ssl.allowInvalidHostnames"].as<bool>();
+ if (!sslGlobalParams.sslCRLFile.empty() && sslGlobalParams.sslCAFile.empty()) {
+ return Status(ErrorCodes::BadValue, "need sslCAFile with sslCRLFile");
}
- if (params.count("ssl.allowInvalidCertificates")) {
- sslGlobalParams.sslAllowInvalidCertificates = true;
+ std::string sslCANotFoundError(
+ "No SSL certificate validation can be performed since"
+ " no CA file has been provided; please specify an"
+ " sslCAFile parameter");
+
+ if (sslGlobalParams.sslCAFile.empty()) {
+ if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
+ return Status(ErrorCodes::BadValue, sslCANotFoundError);
+ }
+ warning() << sslCANotFoundError;
}
- if (params.count("ssl.FIPSMode")) {
- sslGlobalParams.sslFIPSMode = true;
+ } else if (sslGlobalParams.sslPEMKeyFile.size() || sslGlobalParams.sslPEMKeyPassword.size() ||
+ sslGlobalParams.sslClusterFile.size() || sslGlobalParams.sslClusterPassword.size() ||
+ sslGlobalParams.sslCAFile.size() || sslGlobalParams.sslCRLFile.size() ||
+ sslGlobalParams.sslCipherConfig.size() ||
+ sslGlobalParams.sslDisabledProtocols.size() ||
+ sslGlobalParams.sslWeakCertificateValidation || sslGlobalParams.sslFIPSMode) {
+ return Status(ErrorCodes::BadValue,
+ "need to enable SSL via the sslMode flag when "
+ "using SSL configuration parameters");
+ }
+ if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendKeyFile ||
+ clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
+ clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
+ if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_disabled) {
+ return Status(ErrorCodes::BadValue, "need to enable SSL via the sslMode flag");
}
- return Status::OK();
}
-
- Status validateSSLMongoShellOptions(const moe::Environment& params) {
- // Users must specify either a CAFile or allowInvalidCertificates if ssl=true.
- if (params.count("ssl") &&
- params["ssl"].as<bool>() == true &&
- !params.count("ssl.CAFile") &&
- !params.count("ssl.allowInvalidCertificates")) {
+ if (sslGlobalParams.sslMode.load() == SSLParams::SSLMode_allowSSL) {
+ if (clusterAuthMode == ServerGlobalParams::ClusterAuthMode_sendX509 ||
+ clusterAuthMode == ServerGlobalParams::ClusterAuthMode_x509) {
return Status(ErrorCodes::BadValue,
- "need to either provide sslCAFile or specify sslAllowInvalidCertificates");
+ "cannot have x.509 cluster authentication in allowSSL mode");
}
- return Status::OK();
}
+ return Status::OK();
+}
+
+Status storeSSLClientOptions(const moe::Environment& params) {
+ if (params.count("ssl") && params["ssl"].as<bool>() == true) {
+ sslGlobalParams.sslMode.store(SSLParams::SSLMode_requireSSL);
+ }
+ if (params.count("ssl.PEMKeyFile")) {
+ sslGlobalParams.sslPEMKeyFile = params["ssl.PEMKeyFile"].as<std::string>();
+ }
+ if (params.count("ssl.PEMKeyPassword")) {
+ sslGlobalParams.sslPEMKeyPassword = params["ssl.PEMKeyPassword"].as<std::string>();
+ }
+ if (params.count("ssl.CAFile")) {
+ sslGlobalParams.sslCAFile = params["ssl.CAFile"].as<std::string>();
+ }
+ if (params.count("ssl.CRLFile")) {
+ sslGlobalParams.sslCRLFile = params["ssl.CRLFile"].as<std::string>();
+ }
+ if (params.count("net.ssl.allowInvalidHostnames")) {
+ sslGlobalParams.sslAllowInvalidHostnames =
+ params["net.ssl.allowInvalidHostnames"].as<bool>();
+ }
+ if (params.count("ssl.allowInvalidCertificates")) {
+ sslGlobalParams.sslAllowInvalidCertificates = true;
+ }
+ if (params.count("ssl.FIPSMode")) {
+ sslGlobalParams.sslFIPSMode = true;
+ }
+ return Status::OK();
+}
+
+Status validateSSLMongoShellOptions(const moe::Environment& params) {
+ // Users must specify either a CAFile or allowInvalidCertificates if ssl=true.
+ if (params.count("ssl") && params["ssl"].as<bool>() == true && !params.count("ssl.CAFile") &&
+ !params.count("ssl.allowInvalidCertificates")) {
+ return Status(ErrorCodes::BadValue,
+ "need to either provide sslCAFile or specify sslAllowInvalidCertificates");
+ }
+ return Status::OK();
+}
-} // namespace mongo
+} // namespace mongo
View Lorry Controller Status