-
Type: Bug
-
Resolution: Won't Fix
-
Priority: Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
-
ALL
-
Security 2023-12-11, Security 2023-12-25
Linked Ticket: HELP-51899
Customer reports now being unable to connect to Mongo Server v6.0. Further troubleshooting showed:
Customer installed pymongo with OCSP extension and is still facing the error. Please observe the below details shared by the customer.
after installing ocsp, when I tried to run the project code, here's the error,
raise ServerSelectionTimeoutError(
pymongo.errors.ServerSelectionTimeoutError: SSL handshake failed: test-shard-00-02.vkupj.mongodb.net:27017: [('SSL routines', '', 'unsafe legacy renegotiation disabled')],SSL handshake failed: test-shard-00-01.vkupj.mongodb.net:27017: [('SSL routines', '', 'unsafe legacy renegotiation disabled')],SSL handshake failed: test-shard-00-00.vkupj.mongodb.net:27017: [('SSL routines', '', 'unsafe legacy renegotiation disabled')], Timeout: 30s, Topology Description: <TopologyDescription id: 655d9db56926ac5f551bf8d4, topology_type: ReplicaSetNoPrimary, servers: [<ServerDescription ('test-shard-00-00.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-00.vkupj.mongodb.net:27017: [('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>, <ServerDescription ('test-shard-00-01.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-01.vkupj.mongodb.net:27017: [('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>, <ServerDescription ('test-shard-00-02.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-02.vkupj.mongodb.net:27017: [('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>]>
Which should mean the server is attempting renegotiation. However, PyOpenSSL exposed the `OP_NO_RENEGOTATION` flag since 22.0.0 and the customer is on 23.2.0. We're thinking of supporting renegotation through pymongo by adding the OP_LEGACY_SERVER_CONNECT flag.
This end result has led to two main questions:
- Is this the correct deduction of the issue the customer is facing? Is there enough evidence from the HELP ticket to support that this may be server-side?
- Irregardless of the true issue the customer is facing, Is there anything wrong with introducing a flag to support OP_LEGACY_SERVER_CONNECT for server connection? Would that expose the client to a potential MITM attack?
- related to
-
DRIVERS-2823 Ensure openssl legacy unsafe renegotiation can be configured via the MongoClient
- Implementing