-
Type:
Bug
-
Resolution: Won't Fix
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
Problem Statement/Rationale
There is a confusion between TLS vs SSL options for secure connection. According to the documentation, while using SSL options is considered deprecated, both ways are exactly identical in terms of functionality.
However, the client does not handle both equally, which may be very confusing to those who think TLS may be more secure.
Steps to Reproduce
Note the difference below, between using:{}
{}?tls=false&ssl=true
vs
?tls=true&ssl=false
$ mongo --host="mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=false&ssl=true" MongoDB shell version v5.0.8 connecting to: mongodb://covid-19-shard-00-02.hip2i.mongodb.net:27017,covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017/covid19?authSource=admin&compressors=disabled&gssapiServiceName=mongodb&replicaSet=covid-19-shard-0&ssl=true&tls=false Implicit session: session { "id" : UUID("77a4ef8a-53e3-414f-87b2-385b9bd283bf") } MongoDB server version: 4.4.14 WARNING: shell and server versions do not match ================ Warning: the "mongo" shell has been superseded by "mongosh", which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in an upcoming release. For installation instructions, see https://docs.mongodb.com/mongodb-shell/install/ ================ MongoDB Enterprise covid-19-shard-0:PRIMARY> vs $ mongo --host="mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false" MongoDB shell version v5.0.8 connecting to: mongodb://covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017,covid-19-shard-00-02.hip2i.mongodb.net:27017/covid19?authSource=admin&compressors=disabled&gssapiServiceName=mongodb&replicaSet=covid-19-shard-0&ssl=false&tls=true {"t":{"$date":"2022-05-21T12:47:47.450Z"},"s":"I", "c":"NETWORK", "id":4333208, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"RSM host selection timeout","attr":{"replicaSet":"covid-19-shard-0","error":"FailedToSatisfyReadPreference: Could not find host matching read preference { mode: \"nearest\" } for set covid-19-shard-0"}} *** You have failed to connect to a MongoDB Atlas cluster. Please ensure that your IP allowlist allows connections from your network. Error: Could not find host matching read preference { mode: "nearest" } for set covid-19-shard-0, covid-19-shard-0/covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017,covid-19-shard-00-02.hip2i.mongodb.net:27017 : connect@src/mongo/shell/mongo.js:372:17 @(connect):2:6 exception: connect failed exiting with code 1
Expected Results
A similar test with mongosh gives consistent results:
$ mongosh "mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false" Current Mongosh Log ID: 6288e053ca539b523e7e77fd Connecting to: mongodb+srv://<credentials>@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false&appName=mongosh+1.4.2 MongoParseError: All values of tls/ssl must be the same. $ mongosh "mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=true" Current Mongosh Log ID: 6288e05c90bfa6516e2dea9e Connecting to: mongodb+srv://<credentials>@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=true&appName=mongosh+1.4.2 Using MongoDB: 4.4.14 Using Mongosh: 1.4.2
Actual Results
When this is used: tls=true&ssl=false, mongo client doesn't connect to a server that requires TLS/SSL, but with tls=false&ssl=true, it works, and actually TLS IS used for the connection.