Details
-
Improvement
-
Resolution: Done
-
Major - P3
-
None
Description
Take for example the following mongo invocation (with .pem files taken out of phongo's test suite, talking to the phongo vm created servers).
mongo 192.168.112.10:2100 -ssl -sslPEMKeyFile=client.pem -sslCAFile ca.pem --sslPEMKeyPassword "Very secretive client.pem passphrase"
|
This produces:
2015-09-15T14:44:47.727+0100 E NETWORK The server certificate does not match the host name 192.168.112.10
|
2015-09-15T14:44:47.729+0100 E QUERY Error: socket exception [CONNECT_ERROR] for
|
Using the C driver directly:
#include <bson.h>
|
#include <mongoc.h>
|
|
|
int main (int argc, char *argv[])
|
{
|
mongoc_client_t *client;
|
bson_t bson;
|
bson_error_t error;
|
mongoc_ssl_opt_t ssl_opts = { "client.pem", "Very secretive client.pem passphrase", "ca.pem", ".", "crl.pem", false };
|
|
|
mongoc_init();
|
|
|
/* Create our MongoDB Client */
|
client = mongoc_client_new("mongodb://192.168.112.10:2100/?ssl=true");
|
mongoc_client_set_ssl_opts(client, &ssl_opts);
|
|
/* do something with client ... */
|
if (!mongoc_client_get_server_status(client, NULL, &bson, &error)) {
|
printf("error: %s\n", error.message);
|
}
|
|
mongoc_client_destroy(client);
|
mongoc_cleanup();
|
|
|
return 0;
|
}
|
Currently, just like with any other connection failure, the driver just returns "error: No suitable servers found".
It does not tell me there was an error with SSL connection in general, and certainly not that it was because of a wrong name.
Please add more specific error messages for SSL connections, including, but not limited to:
- The server that you're trying to talk to, does not have SSL turned on (but you connected to it with SSL).
- The server that you're trying to talk to, does have SSL turned on (but you didn't set the option)
- The server certificate does not match the hostname "192.168.112.10"
- The server certificate didn't match with the client certificate
- The certificate has been revoked.
- Etc.
(it would also be helpful, if these same things showed up in the normal log that the server produces)
Attachments
Issue Links
- is depended on by
-
CDRIVER-696 Useful errors from server selection
-
- Closed
-
- is duplicated by
-
CDRIVER-936 Wrong error message when ismaster fails to connect over SSL
-
- Closed
-
- is related to
-
CDRIVER-543 differentiate between network error and authentication error
-
- Closed
-
- related to
-
CDRIVER-842 Allow for more finegrained SSL connection control regarding invalid hostnames and invalid certificate flags
-
- Closed
-
-
CDRIVER-1203 Include ismaster errors in server-selection error for pooled client
-
- Closed
-