Uploaded image for project: 'Node.js Driver'
  1. Node.js Driver
  2. NODE-6025

Ensure openssl legacy unsafe renegotiation can be configured via the MongoClient

    • 1
    • Hide

      DRIVERS-2823:
      Summary of necessary driver changes
      Ruby, Python, C, C++, and PHP, and Node all depend on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL version >=3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. Such proxies mistakenly enforce legacy TLS renegotiation. A real example can be found in openssl/issues/21296.

      These drivers should document how to workaround this issue by setting the OP_LEGACY_SERVER_CONNECT option. For example in Ruby:

      Mongo.tls_context_hooks.push(
        Proc.new { |context| context.options |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT }
      )
      client = Mongo::Client.new('mongodb+srv://...')
      

      And Node:

      import { MongoClient } from 'mongodb';
      import { * as crypto } from 'crypto';
      
      const client = new MongoClient("mongodb+srv://...", {
        secureContext: {
          secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
        }
      });
      

      Python, C, C++, and PHP should document how to workaround this issue via the UnsafeLegacyServerConnect option with the OPENSSL_CONF env var:

      $ cat openssl.cnf
      openssl_conf = openssl_init
      
      [openssl_init]
      ssl_conf = ssl_sect
      
      [ssl_sect]
      system_default = system_default_sect
      
      [system_default_sect]
      Options = UnsafeLegacyServerConnect
      
      $ OPENSSL_CONF=openssl.cnf python ...
      

      Note that UnsafeLegacyServerConnect in OPENSSL_CONF requires OpenSSL >= 3.0.4 to get the fix for this bug: https://github.com/openssl/openssl/issues/18295

      The documentation should explain that these workarounds should only be used as a last resort to address "unsafe legacy renegotiation disabled" errors.

      Show
      DRIVERS-2823 : Summary of necessary driver changes Ruby, Python, C, C++, and PHP, and Node all depend on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL version >=3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. Such proxies mistakenly enforce legacy TLS renegotiation. A real example can be found in openssl/issues/21296 . These drivers should document how to workaround this issue by setting the OP_LEGACY_SERVER_CONNECT option. For example in Ruby: Mongo.tls_context_hooks.push( Proc.new { |context| context.options |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT } ) client = Mongo::Client.new( 'mongodb+srv://...' ) And Node: import { MongoClient } from 'mongodb' ; import { * as crypto } from 'crypto' ; const client = new MongoClient( "mongodb+srv: //..." , { secureContext: { secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT } }); Python, C, C++, and PHP should document how to workaround this issue via the UnsafeLegacyServerConnect option with the OPENSSL_CONF env var: $ cat openssl.cnf openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyServerConnect $ OPENSSL_CONF=openssl.cnf python ... Note that UnsafeLegacyServerConnect in OPENSSL_CONF requires OpenSSL >= 3.0.4 to get the fix for this bug: https://github.com/openssl/openssl/issues/18295 The documentation should explain that these workarounds should only be used as a last resort to address "unsafe legacy renegotiation disabled" errors.
    • Not Needed
    • Hide

      1. What would you like to communicate to the user about this feature?
      The Node driver depends on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL versions >= 3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. These proxies erroneously enforce legacy TLS renegotiation. We are aware that this is the case and can work around this.

      2. Would you like the user to see examples of the syntax and/or executable code and its output?

      import { MongoClient } from 'mongodb';
      import { * as crypto } from 'crypto';
      
      const client = new MongoClient("mongodb+srv://...", {
        secureContext: {
          secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
        }
      });
      

      3. Which versions of the driver/connector does this apply to?

      This applies to driver versions from v3.7 through to the current major version, v6

      Show
      1. What would you like to communicate to the user about this feature? The Node driver depends on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL versions >= 3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. These proxies erroneously enforce legacy TLS renegotiation. We are aware that this is the case and can work around this. 2. Would you like the user to see examples of the syntax and/or executable code and its output? import { MongoClient } from 'mongodb' ; import { * as crypto } from 'crypto' ; const client = new MongoClient( "mongodb+srv: //..." , { secureContext: { secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT } }); 3. Which versions of the driver/connector does this apply to? This applies to driver versions from v3.7 through to the current major version, v6

      This ticket was split from DRIVERS-2823, please see that ticket for a detailed description.

            Assignee:
            warren.james@mongodb.com Warren James
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: