Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-841

Improve SSL connection error messages

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 1.4.0
    • Affects Version/s: None
    • Component/s: libmongoc, tls

      Take for example the following mongo invocation (with .pem files taken out of phongo's test suite, talking to the phongo vm created servers).

      mongo 192.168.112.10:2100 -ssl -sslPEMKeyFile=client.pem -sslCAFile ca.pem  --sslPEMKeyPassword "Very secretive client.pem passphrase"

      This produces:

      2015-09-15T14:44:47.727+0100 E NETWORK  The server certificate does not match the host name 192.168.112.10
2015-09-15T14:44:47.729+0100 E QUERY    Error: socket exception [CONNECT_ERROR] for

      Using the C driver directly:

      #include <bson.h>
#include <mongoc.h>

int main (int   argc, char *argv[])
{
    mongoc_client_t *client;
    bson_t bson;
    bson_error_t error;
    mongoc_ssl_opt_t ssl_opts = { "client.pem", "Very secretive client.pem passphrase", "ca.pem", ".", "crl.pem", false };

    mongoc_init();

    /* Create our MongoDB Client */
    client = mongoc_client_new("mongodb://192.168.112.10:2100/?ssl=true");
    mongoc_client_set_ssl_opts(client, &ssl_opts);
   
    /* do something with client ... */
    if (!mongoc_client_get_server_status(client, NULL, &bson, &error)) {
        printf("error: %s\n", error.message);
    }
   
    mongoc_client_destroy(client);
    mongoc_cleanup();

    return 0;
}

      Currently, just like with any other connection failure, the driver just returns "error: No suitable servers found".

      It does not tell me there was an error with SSL connection in general, and certainly not that it was because of a wrong name.

      Please add more specific error messages for SSL connections, including, but not limited to:

      • The server that you're trying to talk to, does not have SSL turned on (but you connected to it with SSL).
      • The server that you're trying to talk to, does have SSL turned on (but you didn't set the option)
      • The server certificate does not match the hostname "192.168.112.10"
      • The server certificate didn't match with the client certificate
      • The certificate has been revoked.
      • Etc.

      (it would also be helpful, if these same things showed up in the normal log that the server produces)

            Assignee:
            bjori Hannes Magnusson
            Reporter:
            derick Derick Rethans
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: