Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17022

No SSL Session Caching may not be respected

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: 2.4.12, 2.6.6
    • Fix Version/s: 2.6.8, 3.0.0-rc9, 3.1.0
    • Component/s: Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Completed:
    • Steps To Reproduce:
      Hide

      Run MongoDB 2.4.6 on Linux with SSL, connecting from a Windows client running the 1.9.2 version of the C# driver.

      Execute a script such that many connections are opened in parallel. (See attached C# class file)

      This test will result in an error free run of the script.

      Shutdown 2.4.6 and start 2.4.7 with otherwise identical settings.

      Run the script again, this will result in errors such as:

      Server Errors

      Thu Jan 22 00:18:30.074 [conn13] ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized
      Thu Jan 22 00:18:30.074 [conn13] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]

      Client Errors

      Authentication failed because the remote party has closed the transport stream.

      Show
      Run MongoDB 2.4.6 on Linux with SSL, connecting from a Windows client running the 1.9.2 version of the C# driver. Execute a script such that many connections are opened in parallel. (See attached C# class file) This test will result in an error free run of the script. Shutdown 2.4.6 and start 2.4.7 with otherwise identical settings. Run the script again, this will result in errors such as: Server Errors Thu Jan 22 00:18:30.074 [conn13] ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized Thu Jan 22 00:18:30.074 [conn13] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR] Client Errors Authentication failed because the remote party has closed the transport stream.
    • Sprint:
      Security [00-02-20-15]

      Description

      Issue Status as of Feb 09, 2015

      ISSUE SUMMARY
      Applications may be unable to reuse a session to a MongoDB instance when using a driver which uses TLS session tickets.

      Currently, the C# driver is the only driver known to produce this issue.

      Connection attempts meeting the following criteria may encounter this issue:

      • The connection is secured with SSL
      • The connection is closed and reopened using a TLS session ticket
      • The server must have been started with --sslCAFile

      USER IMPACT
      Attempting to reopen connections secured with SSL using an affected driver may result in the server closing the socket and emitting an error to its logs resembling the following message:

      ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized
      

      WORKAROUNDS
      Disable the use of TLS session tickets in your driver. For the C# driver on Windows, set the ClientCacheTime registry key to 0. Note that this is a global setting which will affect all programs running on the machine. There are no known workarounds for other software environments.

      AFFECTED VERSIONS
      MongoDB production releases between 2.4.7 and 2.6.7, inclusive, are affected.

      FIX VERSION
      The fix is included in the 2.6.8 production release.

      RESOLUTION DETAILS
      OpenSSL requires an SSL session id context in order to perform peer validation when re-establishing a session,
      whether from the session cache, or from a TLS session ticket. Because MongoDB disabled the session cache in
      2.4.7 and unset the session id context, clients attempting to restore a session from a ticket would cause OpenSSL
      to fail. To fix this, the SSL session cache has been re-enabled, and the session id context is saved.

      Original description

      Something in Windows SChannel doesn't respect the no SSL Session Caching change made in SERVER-10261. This breaks any MongoDB driver on Windows that uses SChannel.

      The currently available workaround is to set the ClientCacheTime registry key to 0 to disable caching, however this is a system wide change which could have unforeseen consequences in a server environment.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                8 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: