-
Type: New Feature
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: Configuration
Version:
mongodb-driver-core-4.4.2
Context:
Everything works fine when we import the appropriate mongoDB certs into the truststore.
However, we want to use tlsInsecure=true for local development only to make setups easier for the developers.
Hence, I am defining a mongodb uri like
mongodb://[...]&tlsInsecure=true
Actual behvior:
The connection string query parameter 'tlsInsecure' is being ignored
com.mongodb.MongoSocketWriteException: Exception sending messagecom.mongodb.MongoSocketWriteException: Exception sending message at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:689) at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:560) at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:386) at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:335) at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:96) at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:44) at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:131) at com.mongodb.internal.connection.InternalStreamConnectionInitializer.startHandshake(InternalStreamConnectionInitializer.java:73) at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:182) at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:188) at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:152) at java.base/java.lang.Thread.run(Thread.java:833)Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:313) at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:200) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:915) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1285) at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:99) at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:557) . .. 10 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at java.base/sun.security.validator.Validator.validate(Validator.java:264) at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) ... 24 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 29 common frames omitted
Expected Behavior:*+
+*The urioption 'tlsInsecure' should not be ignored. Instead, any mongoDB cert should be accepted.
Solution hints:
I believe there is two places to change:
1) The class com.mongodb.ConnectionString does not have a field "tlsInsecure". Such a field (along with accessors) should be added. In line 576 this new field should be asigned instead of sslInvalidHostnameAllowed.
I guess this is a copy/paste error from the case above.
2) The new introduced tlsInsecure information from 1) has to be evaluated in com.mongodb.connection.SslSettings.Builder#applyConnectionString()