Details
-
Bug
-
Resolution: Duplicate
-
Major - P3
-
None
-
None
-
None
-
None
-
ALL
Description
These tests used the following server config:
$ cat config.txt
|
bind_ip=localhost
|
port=27017 |
ipv6=true |
sslOnNormalPorts=true |
sslWeakCertificateValidation=true |
sslCAFile=/Users/shane/git/mongo-python-driver/test/certificates/ca.pem
|
sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/server.pem
|
dbpath=/var/folders/lm/b1r2f8p503xg40r6x2rqv7fr0000gp/T/mongo-oy2q7nj0
|
setParameter = enableTestCommands=1 |
And the self signed certificates from the Python driver: https://github.com/mongodb/mongo-python-driver/tree/3.6.1/test/certificates
When I start a 3.7.9 server with SSL and attempt to connect without --allowInvalidCertificates I get an error as expected:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem
|
2018-05-02T13:01:36.858-0700 I NETWORK [main] Secure Transport Initialized
|
2018-05-02T13:01:36.858-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
|
MongoDB shell version v3.7.9
|
connecting to: mongodb://127.0.0.1:27017
|
2018-05-02T13:01:36.927-0700 E NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected
|
2018-05-02T13:01:36.928-0700 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected :
|
connect@src/mongo/shell/mongo.js:251:13
|
@(connect):1:6
|
exception: connect failed
|
This error message is a little bit less clear than the OpenSSL error you get in 3.4:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem
|
MongoDB shell version v3.4.14
|
connecting to: mongodb://127.0.0.1:27017
|
2018-05-02T13:03:43.607-0700 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate in certificate chain
|
2018-05-02T13:03:43.610-0700 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate in certificate chain :
|
connect@src/mongo/shell/mongo.js:240:13
|
@(connect):1:6
|
exception: connect failed
|
With --sslAllowInvalidCertificates the connection succeeds:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
|
2018-05-02T13:16:06.009-0700 I NETWORK [main] Secure Transport Initialized
|
2018-05-02T13:16:06.009-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
|
MongoDB shell version v3.7.9
|
connecting to: mongodb://127.0.0.1:27017
|
2018-05-02T13:16:06.086-0700 W NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED
|
MongoDB server version: 3.7.9
|
Server has startup warnings:
|
...
|
However, starting a 3.4 server with SSL and attempting to connect with the 3.7.9 mongo shell results in an error:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
|
2018-05-02T13:03:50.995-0700 I NETWORK [main] Secure Transport Initialized
|
2018-05-02T13:03:50.995-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
|
MongoDB shell version v3.7.9
|
connecting to: mongodb://127.0.0.1:27017
|
2018-05-02T13:03:51.037-0700 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Secure.Transport: -9801 :
|
connect@src/mongo/shell/mongo.js:251:13
|
@(connect):1:6
|
exception: connect failed
|
Starting a 3.7.9 server with SSL and attempting to connect with the 3.4 mongo shell also fails:
$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
|
MongoDB shell version v3.4.14
|
connecting to: mongodb://127.0.0.1:27017
|
2018-05-02T13:11:59.988-0700 E QUERY [thread1] Error: socket exception [CLOSED] for 127.0.0.1:27017 :
|
connect@src/mongo/shell/mongo.js:240:13
|
@(connect):1:6
|
exception: connect failed
|
Is this expected?
Attachments
Issue Links
- duplicates
-
SERVER-33329 Server and Shell do not emit TLS "protocol_version" alert messages
-
- Closed
-