Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-83695

Customer facing SSL certificate errors PyMongo v6.0: "Unsafe Legacy Renegotiation"

    • Type: Icon: Bug Bug
    • Resolution: Won't Fix
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • ALL
    • Security 2023-12-11, Security 2023-12-25

      Linked Ticket: HELP-51899

      Customer reports now being unable to connect to Mongo Server v6.0. Further troubleshooting showed: 

      Customer installed pymongo with OCSP extension and is still facing the error. Please observe the below details shared by the customer.

      after installing ocsp, when I tried to run the project code, here's the error,

      raise ServerSelectionTimeoutError(
      pymongo.errors.ServerSelectionTimeoutError: SSL handshake failed: test-shard-00-02.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')],SSL handshake failed: test-shard-00-01.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')],SSL handshake failed: test-shard-00-00.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')], Timeout: 30s, Topology Description: <TopologyDescription id: 655d9db56926ac5f551bf8d4, topology_type: ReplicaSetNoPrimary, servers: [<ServerDescription ('test-shard-00-00.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-00.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>, <ServerDescription ('test-shard-00-01.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-01.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>, <ServerDescription ('test-shard-00-02.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-02.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>]>

       

      Which should mean the server is attempting renegotiation. However, PyOpenSSL exposed the `OP_NO_RENEGOTATION` flag since 22.0.0 and the customer is on 23.2.0. We're thinking of supporting renegotation through pymongo by adding the OP_LEGACY_SERVER_CONNECT flag. 

       

      This end result has led to two main questions: 

      1. Is this the correct deduction of the issue the customer is facing? Is there enough evidence from the HELP ticket to support that this may be server-side?
      2. Irregardless of the true issue the customer is facing, Is there anything wrong with introducing a flag to support OP_LEGACY_SERVER_CONNECT for server connection? Would that expose the client to a potential MITM attack?

       

            Assignee:
            gabriel.marks@mongodb.com Gabriel Marks
            Reporter:
            jib.adegunloye@mongodb.com Jib Adegunloye
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: