Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-5512

Ensure openssl legacy unsafe renegotiation can be configured via the MongoClient

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Hide

      DRIVERS-2823:
      Summary of necessary driver changes
      Ruby, Python, C, C++, and PHP, and Node all depend on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL version >=3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. Such proxies mistakenly enforce legacy TLS renegotiation. A real example can be found in openssl/issues/21296.

      These drivers should document how to workaround this issue by setting the OP_LEGACY_SERVER_CONNECT option. For example in Ruby:

      Mongo.tls_context_hooks.push(
  Proc.new { |context| context.options |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT }
)
client = Mongo::Client.new('mongodb+srv://...')

      And Node:

      import { MongoClient } from 'mongodb';
import { * as crypto } from 'crypto';

const client = new MongoClient("mongodb+srv://...", {
  secureContext: {
    secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
  }
});

      Python, C, C++, and PHP should document how to workaround this issue via the UnsafeLegacyServerConnect option with the OPENSSL_CONF env var:

      $ cat openssl.cnf
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyServerConnect

$ OPENSSL_CONF=openssl.cnf python ...

      Note that UnsafeLegacyServerConnect in OPENSSL_CONF requires OpenSSL >= 3.0.4 to get the fix for this bug: https://github.com/openssl/openssl/issues/18295

      The documentation should explain that these workarounds should only be used as a last resort to address "unsafe legacy renegotiation disabled" errors.

      Show
      DRIVERS-2823 : Summary of necessary driver changes Ruby, Python, C, C++, and PHP, and Node all depend on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL version >=3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. Such proxies mistakenly enforce legacy TLS renegotiation. A real example can be found in openssl/issues/21296 . These drivers should document how to workaround this issue by setting the OP_LEGACY_SERVER_CONNECT option. For example in Ruby: Mongo.tls_context_hooks.push( Proc.new { |context| context.options |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT } ) client = Mongo::Client.new( 'mongodb+srv://...' ) And Node: import { MongoClient } from 'mongodb' ; import { * as crypto } from 'crypto' ; const client = new MongoClient( "mongodb+srv: //..." , { secureContext: { secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT } }); Python, C, C++, and PHP should document how to workaround this issue via the UnsafeLegacyServerConnect option with the OPENSSL_CONF env var: $ cat openssl.cnf openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyServerConnect $ OPENSSL_CONF=openssl.cnf python ... Note that UnsafeLegacyServerConnect in OPENSSL_CONF requires OpenSSL >= 3.0.4 to get the fix for this bug: https://github.com/openssl/openssl/issues/18295 The documentation should explain that these workarounds should only be used as a last resort to address "unsafe legacy renegotiation disabled" errors.

      This ticket was split from DRIVERS-2823, please see that ticket for a detailed description.

            Assignee:
            Unassigned Unassigned
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: