-
Type: Improvement
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
Take for example the following mongo invocation (with .pem files taken out of phongo's test suite, talking to the phongo vm created servers).
mongo 192.168.112.10:2100 -ssl -sslPEMKeyFile=client.pem -sslCAFile ca.pem --sslPEMKeyPassword "Very secretive client.pem passphrase"
This produces:
2015-09-15T14:44:47.727+0100 E NETWORK The server certificate does not match the host name 192.168.112.10
2015-09-15T14:44:47.729+0100 E QUERY Error: socket exception [CONNECT_ERROR] for
Using the C driver directly:
#include <bson.h> #include <mongoc.h> int main (int argc, char *argv[]) { mongoc_client_t *client; bson_t bson; bson_error_t error; mongoc_ssl_opt_t ssl_opts = { "client.pem", "Very secretive client.pem passphrase", "ca.pem", ".", "crl.pem", false }; mongoc_init(); /* Create our MongoDB Client */ client = mongoc_client_new("mongodb://192.168.112.10:2100/?ssl=true"); mongoc_client_set_ssl_opts(client, &ssl_opts); /* do something with client ... */ if (!mongoc_client_get_server_status(client, NULL, &bson, &error)) { printf("error: %s\n", error.message); } mongoc_client_destroy(client); mongoc_cleanup(); return 0; }
Currently, just like with any other connection failure, the driver just returns "error: No suitable servers found".
It does not tell me there was an error with SSL connection in general, and certainly not that it was because of a wrong name.
Please add more specific error messages for SSL connections, including, but not limited to:
- The server that you're trying to talk to, does not have SSL turned on (but you connected to it with SSL).
- The server that you're trying to talk to, does have SSL turned on (but you didn't set the option)
- The server certificate does not match the hostname "192.168.112.10"
- The server certificate didn't match with the client certificate
- The certificate has been revoked.
- Etc.
(it would also be helpful, if these same things showed up in the normal log that the server produces)
- is depended on by
-
CDRIVER-696 Useful errors from server selection
- Closed
- is duplicated by
-
CDRIVER-936 Wrong error message when ismaster fails to connect over SSL
- Closed
- is related to
-
CDRIVER-543 differentiate between network error and authentication error
- Closed
- related to
-
CDRIVER-842 Allow for more finegrained SSL connection control regarding invalid hostnames and invalid certificate flags
- Closed
-
CDRIVER-1203 Include ismaster errors in server-selection error for pooled client
- Closed