Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Done
Priority: Major - P3
Fix Version/s: 2.4.7, 2.5.3
Affects Version/s: 2.4.5
Component/s: Networking
Labels:
None
Environment:

Hide
Package versions:

]$ rpm -qa | grep 'mongo\|openssl\|sasl' | sort
cyrus-sasl-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64
cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64
mongo-10gen-enterprise-2.4.5-mongodb_1.x86_64
mongo-10gen-enterprise-server-2.4.5-mongodb_1.x86_64
openssl-1.0.0-27.el6.x86_64

Show
Package versions: ]$ rpm -qa | grep 'mongo\|openssl\|sasl' | sort cyrus-sasl-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-devel-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-gssapi-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-lib-2.1.23-13.el6_3.1.x86_64 cyrus-sasl-plain-2.1.23-13.el6_3.1.x86_64 mongo-10gen-enterprise-2.4.5-mongodb_1.x86_64 mongo-10gen-enterprise-server-2.4.5-mongodb_1.x86_64 openssl-1.0.0-27.el6.x86_64

Backwards Compatibility:
Fully Compatible
Operating System:
ALL

Issue Status as of December 12th, 2013

ISSUE SUMMARY
SSL connection caching causing intermittent exceptions for Java clients.

USER IMPACT
Java clients making a high number of consecutive SSL connections to the server sometimes experience connections being shut down due to the session state not having been reset properly.

It is present in versions of MongoDB prior to and including v2.4.6.

SOLUTION
Disable SSL session caching on the server. This also improves the security of the connection since no keys are reused.

WORKAROUNDS
Add a small (ms) timeout between tearing down a connection and opening a new one, to make sure that the old session does not affect the new one.

PATCHES
Production release v2.4.7 contains the fix for this issue, and production release v2.6.0 will contain the fix as well.

Original Description

It's possible to generate SSL handshake errors with a trivial Java program: https://gist.github.com/anonymous/a2c4a8ac8f9e38e22edf. This program loops indefinitely, opening a new SSL socket on each iteration and sending a single write (which initiates the handshake).

It eventually generates this exception: http://cl.ly/image/0A2a0j0L0S1i. Note that the alert descriptions are not consistent, suggesting some sort of corruption.

The number of iterations before an error is not consistent, and it doesn't occur if SSL debugging is enabled in the client.

depends on

SERVER-9041 proactively detect broken connections detected by the network

Closed

is related to

SERVER-11612 Java driver problems with SSL session caching

Closed

related to

SERVER-9307 Server can abort SSL handshake for clients that have SSL session caching enabled

Closed

SERVER-17022 No SSL Session Caching may not be respected

Closed

Assignee:: Andreas Nilsson

Reporter:: Jeffrey Yemin

Participants:: Andreas Nilsson, auto, Eric Milkie, Githook User, Jeffrey Yemin

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Created:: Jul 19 2013 03:01:40 PM UTC

Updated:: Jul 11 2016 05:40:34 PM UTC

Resolved:: Nov 06 2013 10:06:34 PM UTC

Details

Description

Original Description

Attachments

Issue Links

Activity

People

Dates