EDIT: There was nothing wrong. I was an idiot. The below settings are correct.
I've set up an instance of mongodb (3.4) on windows, configured like this:
net:
port: 27017
ssl:
mode: preferSSL
PEMKeyFile: C:\...\mongodb.pem
CAFile: C:\...\mongodb.ca
allowConnectionsWithoutCertificates: true
The certificate is a CA-signed certificate issued for a specific domain and a wildcard subdomain.
I can then connect to the database from my local machine using a simple C# program that has the following connection string:
mongodb://user:password@hostname?ssl=true
and it works fine. The client is not using a certificate.
I've fiddled with the parameters and it really seems like it really is connecting using SSL:
- If I switch to
mode:requireSSLand setssl=falsein the connection string, I cannot connect, which is expected - If I connect to a domain that is not included in the certificate, I get
The remote certificate is invalid according to the validation procedure., which is also expected - The only errors/warnings I see in the mongo log is
no SSL certificate provided by peer- which is expected; the client is not using a certificate, thats why I've configuredallowConnectionsWithoutCertificates: true
However, when I look at the traffic using Wireshark, I can inspect all the packets and read the data being sent to and from the server in plaintext. There is no SSL/TLS layer in the packet details pane, just Ethernet, IP, TCP and then Mongo Wire protocol.
My question is: is this expected? Shouldn't the traffic be encrypted, and thus unreadable in Wireshark?
