Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-39941

Report TLS handshake errors to client



    • Type: Improvement
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: 4.1.8
    • Fix Version/s: Backlog
    • Component/s: Networking
    • Labels:
    • Sprint:
      Security 2019-04-08


      Currently when the server rejects a client connection during TLS handshake it reports no errors to the client, making it impossible to diagnose connection failures from the client side (they can only be diagnosed via reading server logs).

      For example, given the certificates in https://github.com/p-mongo/tests/tree/master/certs, we can use openssl s_client and s_server functions to require certificate verification on the server side and connect without supplying a certificate:

      speed% openssl s_server -port 4433 -Verify 1
      speed% openssl s_client -connect :4443

      Server side outputs in its terminal:

      140307916162112:error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:../ssl/statem/statem_srvr.c:3664:
      shutting down SSL

      Client side outputs in its terminal:

      140147908084800:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1528:SSL alert number 116

      The alert mechanism referenced is the openssl's way of communicating errors between client and server during connection handshake.

      Now if I connect to a mongod with s_client the same way:

      speed% openssl s_client -connect :27017

      mongod closes the connection without supplying any reason why the connection was closed. The reason is logged in mongod log:

      2019-03-04T13:07:11.146-0500 E NETWORK  [conn129] no SSL certificate provided by peer; connection rejected
      2019-03-04T13:07:11.146-0500 I NETWORK  [conn129] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from (connection id: 129)

      This reason should be communicated to the client using the openssl alert mechanism prior to closing the connection.

      mongod was launched with:

      speed% mlaunch init --single --dir /tmp/mdb-ssl --sslMode requireSSL --bin /usr/local/m/versions/4.1/ \
        --sslPEMKeyFile `pwd`/server.pem \
        --sslCAFile `pwd`/ca.pem \
        --sslClientCertificate `pwd`/client.pem


          Issue Links



              • Votes:
                1 Vote for this issue
                8 Start watching this issue


                • Created: