-
Type: Improvement
-
Resolution: Unresolved
-
Priority: Major - P3
-
None
-
Affects Version/s: 4.1.8
-
Component/s: Networking
-
None
-
Server Security
-
Security 2019-04-08
Currently when the server rejects a client connection during TLS handshake it reports no errors to the client, making it impossible to diagnose connection failures from the client side (they can only be diagnosed via reading server logs).
For example, given the certificates in https://github.com/p-mongo/tests/tree/master/certs, we can use openssl s_client and s_server functions to require certificate verification on the server side and connect without supplying a certificate:
speed% openssl s_server -port 4433 -Verify 1 speed% openssl s_client -connect :4443
Server side outputs in its terminal:
ERROR
140307916162112:error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:../ssl/statem/statem_srvr.c:3664:
shutting down SSL
CONNECTION CLOSED
Client side outputs in its terminal:
--- 140147908084800:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1528:SSL alert number 116
The alert mechanism referenced is the openssl's way of communicating errors between client and server during connection handshake.
Now if I connect to a mongod with s_client the same way:
speed% openssl s_client -connect :27017 ... read:errno=0
mongod closes the connection without supplying any reason why the connection was closed. The reason is logged in mongod log:
2019-03-04T13:07:11.146-0500 E NETWORK [conn129] no SSL certificate provided by peer; connection rejected 2019-03-04T13:07:11.146-0500 I NETWORK [conn129] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 127.0.0.1:48388 (connection id: 129)
This reason should be communicated to the client using the openssl alert mechanism prior to closing the connection.
mongod was launched with:
speed% mlaunch init --single --dir /tmp/mdb-ssl --sslMode requireSSL --bin /usr/local/m/versions/4.1/ \ --sslPEMKeyFile `pwd`/server.pem \ --sslCAFile `pwd`/ca.pem \ --sslClientCertificate `pwd`/client.pem
- is related to
-
SERVER-33329 Server and Shell do not emit TLS "protocol_version" alert messages
- Closed
-
RUBY-1713 Topology flapping under load with aggressive server_selection_timeout
- Closed
-
SERVER-39970 Report all handshake errors to client
- Closed