Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39941

Report TLS handshake errors to client

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: 4.1.8
    • Component/s: Networking
    • None
    • Server Security
    • Security 2019-04-08

      Currently when the server rejects a client connection during TLS handshake it reports no errors to the client, making it impossible to diagnose connection failures from the client side (they can only be diagnosed via reading server logs).

      For example, given the certificates in https://github.com/p-mongo/tests/tree/master/certs, we can use openssl s_client and s_server functions to require certificate verification on the server side and connect without supplying a certificate:

      speed% openssl s_server -port 4433 -Verify 1

speed% openssl s_client -connect :4443

      Server side outputs in its terminal:

      ERROR
140307916162112:error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:../ssl/statem/statem_srvr.c:3664:
shutting down SSL
CONNECTION CLOSED

      Client side outputs in its terminal:

      ---
140147908084800:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1528:SSL alert number 116

      The alert mechanism referenced is the openssl's way of communicating errors between client and server during connection handshake.

      Now if I connect to a mongod with s_client the same way:

      speed% openssl s_client -connect :27017

...
read:errno=0

      mongod closes the connection without supplying any reason why the connection was closed. The reason is logged in mongod log:

      2019-03-04T13:07:11.146-0500 E NETWORK  [conn129] no SSL certificate provided by peer; connection rejected
2019-03-04T13:07:11.146-0500 I NETWORK  [conn129] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 127.0.0.1:48388 (connection id: 129)

      This reason should be communicated to the client using the openssl alert mechanism prior to closing the connection.

      mongod was launched with:

      speed% mlaunch init --single --dir /tmp/mdb-ssl --sslMode requireSSL --bin /usr/local/m/versions/4.1/ \
  --sslPEMKeyFile `pwd`/server.pem \
  --sslCAFile `pwd`/ca.pem \
  --sslClientCertificate `pwd`/client.pem

            Assignee:
            backlog-server-security [DO NOT USE] Backlog - Security Team
            Reporter:
            oleg.pudeyev@mongodb.com Oleg Pudeyev (Inactive)
            Votes:
            1 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: