Details
-
New Feature
-
Resolution: Unresolved
-
Major - P3
-
None
-
None
Description
Version:
mongodb-driver-core-4.4.2
Context:
Everything works fine when we import the appropriate mongoDB certs into the truststore.
However, we want to use tlsInsecure=true for local development only to make setups easier for the developers.
Hence, I am defining a mongodb uri like
mongodb://[...]&tlsInsecure=true |
Actual behvior:
The connection string query parameter 'tlsInsecure' is being ignored
com.mongodb.MongoSocketWriteException: Exception sending messagecom.mongodb.MongoSocketWriteException: Exception sending message
|
at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:689)
|
at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:560)
|
at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:386)
|
at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:335)
|
at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:96)
|
at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:44)
|
at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:131)
|
at com.mongodb.internal.connection.InternalStreamConnectionInitializer.startHandshake(InternalStreamConnectionInitializer.java:73)
|
at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:182)
|
at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.lookupServerDescription(DefaultServerMonitor.java:188)
|
at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:152)
|
at java.base/java.lang.Thread.run(Thread.java:833)Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
|
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
|
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
|
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
|
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
|
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1357)
|
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1232)
|
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1175)
|
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
|
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
|
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
|
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
|
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
|
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500)
|
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415)
|
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
|
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:915)
|
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1285)
|
at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:99)
|
at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:557) .
|
.. 10 common frames omitted
|
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
|
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
|
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
|
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
|
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
|
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1341)
|
... 24 common frames omitted
|
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
|
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
|
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
|
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
|
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
|
... 29 common frames omitted
|
Expected Behavior:*+
+*The urioption 'tlsInsecure' should not be ignored. Instead, any mongoDB cert should be accepted.
Solution hints:
I believe there is two places to change:
1) The class com.mongodb.ConnectionString does not have a field "tlsInsecure". Such a field (along with accessors) should be added. In line 576 this new field should be asigned instead of sslInvalidHostnameAllowed.
I guess this is a copy/paste error from the case above.
2) The new introduced tlsInsecure information from 1) has to be evaluated in com.mongodb.connection.SslSettings.Builder#applyConnectionString()