-
Type: Bug
-
Resolution: Duplicate
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
ALL
These tests used the following server config:
$ cat config.txt bind_ip=localhost port=27017 ipv6=true sslOnNormalPorts=true sslWeakCertificateValidation=true sslCAFile=/Users/shane/git/mongo-python-driver/test/certificates/ca.pem sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/server.pem dbpath=/var/folders/lm/b1r2f8p503xg40r6x2rqv7fr0000gp/T/mongo-oy2q7nj0 setParameter = enableTestCommands=1
And the self signed certificates from the Python driver: https://github.com/mongodb/mongo-python-driver/tree/3.6.1/test/certificates
When I start a 3.7.9 server with SSL and attempt to connect without --allowInvalidCertificates I get an error as expected:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem
2018-05-02T13:01:36.858-0700 I NETWORK [main] Secure Transport Initialized
2018-05-02T13:01:36.858-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
MongoDB shell version v3.7.9
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:01:36.927-0700 E NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected
2018-05-02T13:01:36.928-0700 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed
This error message is a little bit less clear than the OpenSSL error you get in 3.4:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem MongoDB shell version v3.4.14 connecting to: mongodb://127.0.0.1:27017 2018-05-02T13:03:43.607-0700 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate in certificate chain 2018-05-02T13:03:43.610-0700 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate in certificate chain : connect@src/mongo/shell/mongo.js:240:13 @(connect):1:6 exception: connect failed
With --sslAllowInvalidCertificates the connection succeeds:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
2018-05-02T13:16:06.009-0700 I NETWORK [main] Secure Transport Initialized
2018-05-02T13:16:06.009-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
MongoDB shell version v3.7.9
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:16:06.086-0700 W NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED
MongoDB server version: 3.7.9
Server has startup warnings:
...
However, starting a 3.4 server with SSL and attempting to connect with the 3.7.9 mongo shell results in an error:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
2018-05-02T13:03:50.995-0700 I NETWORK [main] Secure Transport Initialized
2018-05-02T13:03:50.995-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
MongoDB shell version v3.7.9
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:03:51.037-0700 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Secure.Transport: -9801 :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed
Starting a 3.7.9 server with SSL and attempting to connect with the 3.4 mongo shell also fails:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates MongoDB shell version v3.4.14 connecting to: mongodb://127.0.0.1:27017 2018-05-02T13:11:59.988-0700 E QUERY [thread1] Error: socket exception [CLOSED] for 127.0.0.1:27017 : connect@src/mongo/shell/mongo.js:240:13 @(connect):1:6 exception: connect failed
Is this expected?
- duplicates
-
SERVER-33329 Server and Shell do not emit TLS "protocol_version" alert messages
- Closed