Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-4522

Connection string parameter tlsInsecure is not supported

    • Type: Icon: New Feature New Feature
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Configuration

      Version: 
      mongodb-driver-core-4.4.2

       

      Context:

      Everything works fine when we import the appropriate mongoDB certs into the truststore.

      However, we want to use tlsInsecure=true for local development only to make setups easier for the developers.

      Hence, I am defining a mongodb uri like

       

      mongodb://[...]&tlsInsecure=true

       

       

      Actual behvior:

      The connection string query parameter 'tlsInsecure' is being ignored

       

      com.mongodb.MongoSocketWriteException: Exception sending messagecom.mongodb.MongoSocketWriteException: Exception sending message 
      at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:689)
      at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:560) 
      at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:386)
      at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:335) 
      at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:96)
      at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:44) 
      at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:131)
      at com.mongodb.internal.connection.InternalStreamConnectionInitializer.startHandshake(InternalStreamConnectionInitializer.java:73)
      at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:182) 
      at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:188)
      at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:152) 
      at java.base/java.lang.Thread.run(Thread.java:833)Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
      at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) 
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370) 
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:313) 
      at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308) 
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232) 
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175) 
      at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480) 
      at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458) 
      at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:200) 
      at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) 
      at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500) 
      at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415) 
      at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) 
      at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:915) 
      at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1285) 
      at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:99) 
      at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:557) .
      .. 10 common frames omitted
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) 
      at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) 
      at java.base/sun.security.validator.Validator.validate(Validator.java:264) 
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) 
      at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) 
      at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341) 
      ... 24 common frames omitted
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) 
      at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) 
      at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) 
      at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) 
      ... 29 common frames omitted
      

       

       

      Expected Behavior:*+
      +*The urioption 'tlsInsecure' should not be ignored. Instead, any mongoDB cert should be accepted.

       

      Solution hints:

      I believe there is two places to change:

      1) The class com.mongodb.ConnectionString does not have a field "tlsInsecure". Such a field (along with accessors) should be added. In line 576 this new field should be asigned instead of sslInvalidHostnameAllowed.
      I guess this is a copy/paste error from the case above.

      2) The new introduced tlsInsecure information from 1) has to be evaluated in com.mongodb.connection.SslSettings.Builder#applyConnectionString()

            Assignee:
            Unassigned Unassigned
            Reporter:
            f.kreis@enbw.com Fabian Kreis
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: