Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17022

No SSL Session Caching may not be respected

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.6.8, 3.0.0-rc9, 3.1.0
    • Affects Version/s: 2.4.12, 2.6.6
    • Component/s: Security
    • Labels:
      None
    • Fully Compatible
    • ALL
    • Hide

      Run MongoDB 2.4.6 on Linux with SSL, connecting from a Windows client running the 1.9.2 version of the C# driver.

      Execute a script such that many connections are opened in parallel. (See attached C# class file)

      This test will result in an error free run of the script.

      Shutdown 2.4.6 and start 2.4.7 with otherwise identical settings.

      Run the script again, this will result in errors such as:

      Server Errors
      Thu Jan 22 00:18:30.074 [conn13] ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized
Thu Jan 22 00:18:30.074 [conn13] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]
      Client Errors
      Authentication failed because the remote party has closed the transport stream.
      Show
      Run MongoDB 2.4.6 on Linux with SSL, connecting from a Windows client running the 1.9.2 version of the C# driver. Execute a script such that many connections are opened in parallel. (See attached C# class file) This test will result in an error free run of the script. Shutdown 2.4.6 and start 2.4.7 with otherwise identical settings. Run the script again, this will result in errors such as: Server Errors Thu Jan 22 00:18:30.074 [conn13] ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized Thu Jan 22 00:18:30.074 [conn13] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR] Client Errors Authentication failed because the remote party has closed the transport stream.
    • Security [00-02-20-15]

      Issue Status as of Feb 09, 2015

      ISSUE SUMMARY
      Applications may be unable to reuse a session to a MongoDB instance when using a driver which uses TLS session tickets.

      Currently, the C# driver is the only driver known to produce this issue.

      Connection attempts meeting the following criteria may encounter this issue:

      • The connection is secured with SSL
      • The connection is closed and reopened using a TLS session ticket
      • The server must have been started with --sslCAFile

      USER IMPACT
      Attempting to reopen connections secured with SSL using an affected driver may result in the server closing the socket and emitting an error to its logs resembling the following message:

      ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized

      WORKAROUNDS
      Disable the use of TLS session tickets in your driver. For the C# driver on Windows, set the ClientCacheTime registry key to 0. Note that this is a global setting which will affect all programs running on the machine. There are no known workarounds for other software environments.

      AFFECTED VERSIONS
      MongoDB production releases between 2.4.7 and 2.6.7, inclusive, are affected.

      FIX VERSION
      The fix is included in the 2.6.8 production release.

      RESOLUTION DETAILS
      OpenSSL requires an SSL session id context in order to perform peer validation when re-establishing a session,
      whether from the session cache, or from a TLS session ticket. Because MongoDB disabled the session cache in
      2.4.7 and unset the session id context, clients attempting to restore a session from a ticket would cause OpenSSL
      to fail. To fix this, the SSL session cache has been re-enabled, and the session id context is saved.

      Original description

      Something in Windows SChannel doesn't respect the no SSL Session Caching change made in SERVER-10261. This breaks any MongoDB driver on Windows that uses SChannel.

      The currently available workaround is to set the ClientCacheTime registry key to 0 to disable caching, however this is a system wide change which could have unforeseen consequences in a server environment.

        1. SERVER-17022.cs
          2 kB

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            peter.garafano@mongodb.com Peter Garafano (Inactive)
            Votes:
            8 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: