From c4850c1caa99f36935e910714e80e388b6419954 Mon Sep 17 00:00:00 2001 From: Michael Paik Date: Fri, 22 Aug 2014 18:32:17 -0400 Subject: [PATCH 1/3] DOCS-3701-re-redux --- source/includes/options-mongo.yaml | 2 +- source/includes/options-shared.yaml | 2 +- .../warning-always-use-sslCAFile-for-mongo.rst | 11 +++++++++++ source/tutorial/configure-ssl-clients.txt | 12 +++++++----- 4 files changed, 20 insertions(+), 7 deletions(-) create mode 100644 source/includes/warning-always-use-sslCAFile-for-mongo.rst diff --git a/source/includes/options-mongo.yaml b/source/includes/options-mongo.yaml index 002660554e5..b3c3651e04d 100644 --- a/source/includes/options-mongo.yaml +++ b/source/includes/options-mongo.yaml @@ -266,7 +266,7 @@ description: | The default distribution of MongoDB does not contain support for SSL. For more information on MongoDB and SSL, see :doc:`/tutorial/configure-ssl`. - .. include:: /includes/warning-x509-requires-sslCAfile.rst + .. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst optional: true --- program: mongo diff --git a/source/includes/options-shared.yaml b/source/includes/options-shared.yaml index c27fa930fe7..c81394f4038 100644 --- a/source/includes/options-shared.yaml +++ b/source/includes/options-shared.yaml @@ -122,7 +122,7 @@ description: | The default distribution of MongoDB does not contain support for SSL. For more information on MongoDB and SSL, see :doc:`/tutorial/configure-ssl`. - .. include:: /includes/warning-x509-requires-sslCAfile.rst + .. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst optional: true --- program: _shared diff --git a/source/includes/warning-always-use-sslCAFile-for-mongo.rst b/source/includes/warning-always-use-sslCAFile-for-mongo.rst new file mode 100644 index 00000000000..a214bcc0fbd --- /dev/null +++ b/source/includes/warning-always-use-sslCAFile-for-mongo.rst @@ -0,0 +1,11 @@ +.. warning:: + + If the :program:`mongo` shell or any other tool that connects to + :program:`mongos` or :program:`mongod` is run without + :option:`--sslCAFile `, it will not attempt to validate + server certificates. This results in vulnerability to expired + :program:`mongod` and :program:`mongos` certificates as well as to foreign + processes posing as valid :program:`mongod` or :program:`mongos` + instances. Ensure that you *always* specify the CA file against which + server certificates should be validated in cases where intrusion is a + possibility. diff --git a/source/tutorial/configure-ssl-clients.txt b/source/tutorial/configure-ssl-clients.txt index d2c0cb98609..47e455ab8a7 100644 --- a/source/tutorial/configure-ssl-clients.txt +++ b/source/tutorial/configure-ssl-clients.txt @@ -29,7 +29,9 @@ SSL support or distributed with MongoDB Enterprise. To support SSL, :file:`.pem` file that contains the SSL certificate and key. - :option:`--sslCAFile` with the name of the :file:`.pem` - file that contains the certificate from the Certificate Authority. + file that contains the certificate from the Certificate Authority (CA). + + .. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst - :option:`--sslPEMKeyPassword` option if the client certificate-key file is encrypted. @@ -51,10 +53,10 @@ Connect to MongoDB Instance that Requires Client Certificates To connect to a :program:`mongod` or :program:`mongos` that requires :ref:`CA-signed client certificates -`, start the :program:`mongo` shell with -:option:`--ssl ` and the :setting:`--sslPEMKeyFile -` option to specify the signed certificate-key file, as -in the following: +`, start the :program:`mongo` shell with the +:option:`--ssl `, :option:`--sslPEMKeyFile +`, and :option:`--sslCAFile ` options +to specify the signed certificate-key file and , as in the following: .. code-block:: sh From e5ccc4845f88a60ff040c7a565dac7bb09958037 Mon Sep 17 00:00:00 2001 From: Michael Paik Date: Fri, 22 Aug 2014 18:35:34 -0400 Subject: [PATCH 2/3] DOCS-3701-re-redux, revert bad edit --- source/tutorial/configure-ssl-clients.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source/tutorial/configure-ssl-clients.txt b/source/tutorial/configure-ssl-clients.txt index 47e455ab8a7..d206982483c 100644 --- a/source/tutorial/configure-ssl-clients.txt +++ b/source/tutorial/configure-ssl-clients.txt @@ -53,10 +53,10 @@ Connect to MongoDB Instance that Requires Client Certificates To connect to a :program:`mongod` or :program:`mongos` that requires :ref:`CA-signed client certificates -`, start the :program:`mongo` shell with the +`, start the :program:`mongo` shell with :option:`--ssl `, :option:`--sslPEMKeyFile -`, and :option:`--sslCAFile ` options -to specify the signed certificate-key file and , as in the following: +` option to specify the signed certificate-key file, as +in the following: .. code-block:: sh From 088be4a4965091106aeca750ff3e397910dcabd5 Mon Sep 17 00:00:00 2001 From: Michael Paik Date: Fri, 22 Aug 2014 18:37:00 -0400 Subject: [PATCH 3/3] DOCS-3701-re-redux: fixyfixy --- source/tutorial/configure-ssl-clients.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/tutorial/configure-ssl-clients.txt b/source/tutorial/configure-ssl-clients.txt index d206982483c..04d865a31c8 100644 --- a/source/tutorial/configure-ssl-clients.txt +++ b/source/tutorial/configure-ssl-clients.txt @@ -54,7 +54,7 @@ Connect to MongoDB Instance that Requires Client Certificates To connect to a :program:`mongod` or :program:`mongos` that requires :ref:`CA-signed client certificates `, start the :program:`mongo` shell with -:option:`--ssl `, :option:`--sslPEMKeyFile +:option:`--ssl ` and the :option:`--sslPEMKeyFile ` option to specify the signed certificate-key file, as in the following: