Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-34813

SocketException: Secure.Transport: -9801 connecting from 3.7.9 shell to 3.4 server with SSL on Mac

    • Type: Icon: Bug Bug
    • Resolution: Duplicate
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • ALL

      These tests used the following server config:

      $ cat config.txt
      bind_ip=localhost
      port=27017
      ipv6=true
      sslOnNormalPorts=true
      sslWeakCertificateValidation=true
      sslCAFile=/Users/shane/git/mongo-python-driver/test/certificates/ca.pem
      sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/server.pem
      dbpath=/var/folders/lm/b1r2f8p503xg40r6x2rqv7fr0000gp/T/mongo-oy2q7nj0
      setParameter = enableTestCommands=1
      

      And the self signed certificates from the Python driver: https://github.com/mongodb/mongo-python-driver/tree/3.6.1/test/certificates

      When I start a 3.7.9 server with SSL and attempt to connect without --allowInvalidCertificates I get an error as expected:

      $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem
      2018-05-02T13:01:36.858-0700 I NETWORK  [main] Secure Transport Initialized
      2018-05-02T13:01:36.858-0700 I NETWORK  [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
      MongoDB shell version v3.7.9
      connecting to: mongodb://127.0.0.1:27017
      2018-05-02T13:01:36.927-0700 E NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected
      2018-05-02T13:01:36.928-0700 E QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected :
      connect@src/mongo/shell/mongo.js:251:13
      @(connect):1:6
      exception: connect failed
      

      This error message is a little bit less clear than the OpenSSL error you get in 3.4:

      $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem
      MongoDB shell version v3.4.14
      connecting to: mongodb://127.0.0.1:27017
      2018-05-02T13:03:43.607-0700 E NETWORK  [thread1] SSL peer certificate validation failed: self signed certificate in certificate chain
      2018-05-02T13:03:43.610-0700 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate in certificate chain :
      connect@src/mongo/shell/mongo.js:240:13
      @(connect):1:6
      exception: connect failed
      

      With --sslAllowInvalidCertificates the connection succeeds:

      $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
      2018-05-02T13:16:06.009-0700 I NETWORK  [main] Secure Transport Initialized
      2018-05-02T13:16:06.009-0700 I NETWORK  [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
      MongoDB shell version v3.7.9
      connecting to: mongodb://127.0.0.1:27017
      2018-05-02T13:16:06.086-0700 W NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED
      MongoDB server version: 3.7.9
      Server has startup warnings:
      ...
      

      However, starting a 3.4 server with SSL and attempting to connect with the 3.7.9 mongo shell results in an error:

      $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
      2018-05-02T13:03:50.995-0700 I NETWORK  [main] Secure Transport Initialized
      2018-05-02T13:03:50.995-0700 I NETWORK  [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
      MongoDB shell version v3.7.9
      connecting to: mongodb://127.0.0.1:27017
      2018-05-02T13:03:51.037-0700 E QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Secure.Transport: -9801 :
      connect@src/mongo/shell/mongo.js:251:13
      @(connect):1:6
      exception: connect failed
      

      Starting a 3.7.9 server with SSL and attempting to connect with the 3.4 mongo shell also fails:

      $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
      MongoDB shell version v3.4.14
      connecting to: mongodb://127.0.0.1:27017
      2018-05-02T13:11:59.988-0700 E QUERY    [thread1] Error: socket exception [CLOSED] for 127.0.0.1:27017 :
      connect@src/mongo/shell/mongo.js:240:13
      @(connect):1:6
      exception: connect failed
      

      Is this expected?

            Assignee:
            david.katz@mongodb.com David Katz
            Reporter:
            shane.harvey@mongodb.com Shane Harvey
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: