MongoDB latest version 4.4.29 to fix CVE-2024-1351

emad_mousa · March 13, 2024, 4:01pm

Hi,

using “self signed certificate” , after patching to 4.4.29 and per updated documentation and notes:

configuration file has the following parameters set

mode: requireTLS

certificateKeyFile: /mongodb/cert/XXXX/mongodb.pem

the database instance started with parameter set as follows:

–setParameter tlsUseSystemCA=true

— The database engine will start OK…however when i try to connect using mongo utility:

mongo --port XXXX --tls --host XXXX --tlsCertificateKeyFile /mongodb/cert/XXXX/mongodb.pem

the following error is thrown:

{“t”:{“$date”:“2024-03-13T09:11:51.871Z”},“s”:“I”, “c”:“NETWORK”, “id”:5490002, “ctx”:“thread1”,“msg”:“Started a new thread for the timer service”}

{“t”:{“$date”:“2024-03-13T09:11:51.889Z”},“s”:“E”, “c”:“NETWORK”, “id”:23256, “ctx”:“js”,“msg”:“SSL peer certificate validation failed”,“attr”:{“error”:“SSL peer certificate validation failed: self signed certificate”}}

Error: couldn’t connect to server XXXX:XXX, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: self signed certificate :

connect@src/mongo/shell/mongo.js:374:17

any help/suggestions ?

Regards,
Emad Al-Mousa

chris · March 14, 2024, 2:51pm

Hi @emad_mousa

Please review and update the post and remember for future posing:

As a self signed certificate is used the option --tlsCAFile should be used with the signing CA, in this case the certificate itself.

emad_mousa · March 18, 2024, 4:02pm

Thanks @chris for your feedback.

my configuration file parameters are updated as follows:

tls:

mode: requireTLS

certificateKeyFile: /mongodb/bin/cert_dir/mongodb-ca.pem

CAFile : /mongodb/bin/cert_dir/mongodb-ca.pem

when starting MongoDB using this command:

/mongodb/bin/mongod --config /mongodb/log/etc/mongod.conf --setParameter tlsUseSystemCA=true

The following error message was thrown

{"t":{"$date":"2024-03-14T09:28:16.699Z"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":72,"codeName":"InvalidOptions","errmsg":"The use of both a CA File and the System Certificate store is not supported."}}}

{"t":{"$date":"2024-03-18T05:51:06.131Z"},"s":"F", "c":"CONTROL", "id":20574, "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":72,"codeName":"InvalidOptions","errmsg":"The use of both a CA File and the System Certificate store is not supported."}}}

if i remove --setParameter tlsUseSystemCA=true the MongoDB instance starts up Ok

nohup /mongodb/bin/mongod --config /mongodb/log/etc/mongod.conf &

Now, if I attempt to connect using mongo shell command utility:

/mongodb/bin/mongo --port XXXX --tls --host XXXXX.DOMAIN.com --tlsCertificateKeyFile /mongodb/bin/cert_dir/mongodb-ca.pem

MongoDB shell version v4.4.29

connecting to: mongodb://XXXXX.DOMAIN.com:XXXX/?compressors=disabled&gssapiServiceName=mongodb

{"t":{"$date":"2024-03-18T06:02:03.276Z"},"s":"I", "c":"NETWORK", "id":5490002, "ctx":"thread1","msg":"Started a new thread for the timer service"}

{"t":{"$date":"2024-03-18T06:02:03.288Z"},"s":"E", "c":"NETWORK", "id":23256, "ctx":"js","msg":"**SSL peer certificate validation failed"**,"attr":{"**error":"SSL peer certificate validation failed: self signed certificate"**}}

Mongo shell will succeed in connecting when the following parameter is added “****–tlsAllowInvalidCertificates**”** :

/mongodb/bin/mongo --port XXXX --tls --host XXXXX.DOMAIN.com --tlsCertificateKeyFile /mongodb/bin/cert_dir/mongodb-ca.pem –tlsAllowInvalidCertificates

This means “self signed certificate” is totally can’t be used anymore ? This will cause major impact !!

[[SERVER-72839] Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided - MongoDB Jira](https://jira.mongodb.org/browse/SERVER-72839)

Denis_Iusupov · April 16, 2024, 9:37pm

Hi, @emad_mousa.
We found out that due https://jira.mongodb.org/browse/SERVER-72839 we have to change two settings at server side.
You have to turn clients SSL certificates validation off, because since v4.4.29 (v5.0.25) they fixed a long-existing bug where server doesn’t check clients certificates if CAFile or system CA store were used.
The settings has very confusing name (allowConnectionsWithoutCertificates), set it to false

In my case a mongod config is:

# network interfaces
net:
  port: 27019
  bindIp: um-mongo-config-r3.***, localhost
  tls:
    mode: preferTLS
    allowConnectionsWithoutCertificates: true
    allowInvalidCertificates: false
    allowInvalidHostnames: false
    certificateKeyFile: /etc/pki/mongo/crt/um-mongo-config-r3.***.pem
    # CAFile: /etc/pki/ca-trust/source/anchors/myCA.pem
    certificateKeyFilePassword: ***
...
# We keep CA file in linux CA system store, so no need to specify CAFile, but we have to tell mongod use it:
setParameter:
  tlsUseSystemCA: true

Hope it will help you and others.