[CDRIVER-467] Impossible to connect with ssl=true without specifying mongoc_ssl_opt_t Created: 22/Nov/14  Updated: 04/Aug/23  Resolved: 25/Feb/15

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: 1.0.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Alexander Komyagin Assignee: Mira Carey
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

RS with ssl enabled


Issue Links:
Related
related to PHPC-2270 Define constants for POSIX features a... Closed
is related to CDRIVER-2153 mongoc_client_pool_t cannot connect t... Closed
is related to CDRIVER-933 mongoc_ssl_opt_get_default changed in... Closed

 Description   

It is really frustrating that I can't get SSL to work "out-of-the-box", because it is required to explicitly specify:

    mongoc_ssl_opt_t opts = *mongoc_ssl_opt_get_default();
    opts.weak_cert_validation = true;

And set those on the client:

mongoc_client_set_ssl_opts(client, &opts);

It should be changed/documented and meaningful error should be reported if something is wrong.



 Comments   
Comment by Mira Carey [ 25/Feb/15 ]

Alex,

I'm inclined to stick with the current behavior, namely that we make it a little difficult to turn off certificate validation. Given that the alternative leaves users open to man in the middle attacks, I don't think the convenience is worth it for the loss of security.

That said, the fact that the default setup isn't functional is also somewhat an artifact of our use of openssl. The lack of standardization on where to find root certificates, which we could remedy with a configure option, means that there's not much we can do if you don't give us a cert. I don't really plan on changing this for linux, since I think it's a little awkward to use certs generally distributed for web browsing for application programming, but we may have more of a story for windows and os x. Those systems offer certificate authorities that may plausibly be filled with certs applicable to this kind of development. So you may find defaults more to your likely if/when we've had a chance to add native TLS for windows and os x.

For now, I'm going to close this out as wontfix, because I can't agree to make weak cert validation the default and I don't find the current error reporting for failure to validate particularly unclear:

# after switching example-client to use ?ssl=true
Cursor Failure: Failed to handshake and validate TLS certificate.

If you're getting an error that's less helpful than that out of another code path, feel free to open a new ticket to make that error less generic.

Regards,
Jason

Generated at Wed Feb 07 21:09:35 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.