[CDRIVER-2675] TLS connection to mongo does not work Created: 31/May/18  Updated: 28/Oct/23  Resolved: 01/Jun/18

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.3.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Arun Muralidharan Assignee: A. Jesse Jiryu Davis
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Ubuntu 16.04



 Description   

[amuralid@amuralid-master-vm:/localdisk...re_rwvx-build/rwlog]$ uname -a
Linux amuralid-master-vm 4.4.0-59-generic #80-Ubuntu SMP Fri Jan 6 17:47:47 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I am trying to configure self signed certificate for the mongo server by following the official MongoDB docs.
Having configured the private key and cert and mongodb conf, I am able to bring up the server and connect to it using mongo shell client and also using pymongo (PYTHON-1568).

client = MongoClient('mongodb://127.0.0.1:8006/?connectTimeoutMS=1000&ssl=true', ssl_ca_certs="/localdisk/amuralid/container/ub/US-gr-611/rift/.build/ub16_debug/install/usr/rift/certstore/domain.crt", ssl_keyfile="/localdisk/amuralid/container/ub/US-gr-611/rift/.build/ub16_debug/install/usr/rift/var/rift/lp1-mgmt-vm-lp-2/mongo_certs/server/mongo.pem")
>>>
>>>
>>> client.admin.command('ping')
{'ok': 1.0}

Now I tried mapping this setup to mongoc_ssl_opt_t, but it doesn't work, as select server results in Timeout with much error context.

Cannot ping database, No suitable servers found (`serverselectiontryonce` set)

I am trying to map the python arguments I used to the C structure. Can someone tell me what "ssl_ca_certs" and "ssl_keyfile" maps to in the C structure ?

certificate="/localdisk/amuralid/container/ub/US-gr-611/rift/.build/ub16_debug/install/usr/rift/certstore/domain.crt";
  // Set the SSL/TLS options
  ssl_opts_ = {0};
  ssl_opts_.pem_file = pem_path_.c_str();
  ssl_opts_.ca_file = certificate;
  //ssl_opts_.weak_cert_validation = true;
 
  // set the ssl options
  mongoc_client_set_ssl_opts(client_, &ssl_opts_);

In my code above, "ssl_opts_.ca_file" points to the certificate and "ssl_opts_.pem_file" points to the concat of private key and certificate.

Thanks in advance



 Comments   
Comment by A. Jesse Jiryu Davis [ 01/Jun/18 ]

I’m closing this as “fixed” since development of the driver since 1.3.1 has fixed the issue reported here.

Comment by Arun Muralidharan [ 01/Jun/18 ]

Ok. Thanks Jesse.

Comment by A. Jesse Jiryu Davis [ 01/Jun/18 ]

Hi Arun. I looked through our bug tracker and I don't see an issue in 1.3.1 that would explain the bug you observe. I'm sorry to say that we won't investigate an issue with 1.3.1 now. I understand that it's the version packaged with Ubuntu 16.04 but we only support the latest version of the C Driver. There have been many bug fixes and improvements, I recommend you upgrade.

Comment by Arun Muralidharan [ 01/Jun/18 ]

Thanks Jesses. Yes, it works after the upgrade. Is there any known issue with 1.3.1 version ? I would prefer not to upgrade if there is something that can be done on that version.

Comment by A. Jesse Jiryu Davis [ 31/May/18 ]

Thanks for the information! Could you upgrade to 1.10.1 and tell me if the problem persists?

Comment by Arun Muralidharan [ 31/May/18 ]

I am setting "ssl=true" in the URI.

Generated at Wed Feb 07 21:15:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.