Uploaded image for project: 'Python Driver'
  1. Python Driver
  2. PYTHON-4279

Ensure openssl legacy unsafe renegotiation can be configured via the MongoClient

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • 4.8
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Hide

      DRIVERS-2823:
      Summary of necessary driver changes
      Ruby, Python, C, C++, and PHP, and Node all depend on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL version >=3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. Such proxies mistakenly enforce legacy TLS renegotiation. A real example can be found in openssl/issues/21296.

      These drivers should document how to workaround this issue by setting the OP_LEGACY_SERVER_CONNECT option. For example in Ruby:

      Mongo.tls_context_hooks.push(
  Proc.new { |context| context.options |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT }
)
client = Mongo::Client.new('mongodb+srv://...')

      And Node:

      import { MongoClient } from 'mongodb';
import { * as crypto } from 'crypto';

const client = new MongoClient("mongodb+srv://...", {
  secureContext: {
    secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
  }
});

      Python, C, C++, and PHP should document how to workaround this issue via the UnsafeLegacyServerConnect option with the OPENSSL_CONF env var:

      $ cat openssl.cnf
openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyServerConnect

$ OPENSSL_CONF=openssl.cnf python ...

      Note that UnsafeLegacyServerConnect in OPENSSL_CONF requires OpenSSL >= 3.0.4 to get the fix for this bug: https://github.com/openssl/openssl/issues/18295

      The documentation should explain that these workarounds should only be used as a last resort to address "unsafe legacy renegotiation disabled" errors.

      Show
      DRIVERS-2823 : Summary of necessary driver changes Ruby, Python, C, C++, and PHP, and Node all depend on OpenSSL by default and can encounter "unsafe legacy renegotiation disabled" errors when using OpenSSL version >=3 in some environments. These types of errors occur due to outdated or buggy SSL proxies. Such proxies mistakenly enforce legacy TLS renegotiation. A real example can be found in openssl/issues/21296 . These drivers should document how to workaround this issue by setting the OP_LEGACY_SERVER_CONNECT option. For example in Ruby: Mongo.tls_context_hooks.push( Proc.new { |context| context.options |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT } ) client = Mongo::Client.new( 'mongodb+srv://...' ) And Node: import { MongoClient } from 'mongodb' ; import { * as crypto } from 'crypto' ; const client = new MongoClient( "mongodb+srv: //..." , { secureContext: { secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT } }); Python, C, C++, and PHP should document how to workaround this issue via the UnsafeLegacyServerConnect option with the OPENSSL_CONF env var: $ cat openssl.cnf openssl_conf = openssl_init [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] Options = UnsafeLegacyServerConnect $ OPENSSL_CONF=openssl.cnf python ... Note that UnsafeLegacyServerConnect in OPENSSL_CONF requires OpenSSL >= 3.0.4 to get the fix for this bug: https://github.com/openssl/openssl/issues/18295 The documentation should explain that these workarounds should only be used as a last resort to address "unsafe legacy renegotiation disabled" errors.
    • Hide

      1. What would you like to communicate to the user about this feature?
      2. Would you like the user to see examples of the syntax and/or executable code and its output?
      3. Which versions of the driver/connector does this apply to?

      Show
      1. What would you like to communicate to the user about this feature? 2. Would you like the user to see examples of the syntax and/or executable code and its output? 3. Which versions of the driver/connector does this apply to?

      This ticket was split from DRIVERS-2823, please see that ticket for a detailed description.

            Assignee:
            Unassigned Unassigned
            Reporter:
            dbeng-pm-bot PM Bot
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: