[CDRIVER-841] Improve SSL connection error messages Created: 15/Sep/15  Updated: 10/Aug/16  Resolved: 18/Jul/16

Status: Closed
Project: C Driver
Component/s: libmongoc, tls
Affects Version/s: None
Fix Version/s: 1.4.0

Type: Improvement Priority: Major - P3
Reporter: Derick Rethans Assignee: Hannes Magnusson
Resolution: Done Votes: 0
Labels: intern2016
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by CDRIVER-696 Useful errors from server selection Closed
Duplicate
is duplicated by CDRIVER-936 Wrong error message when ismaster fai... Closed
Related
related to CDRIVER-842 Allow for more finegrained SSL connec... Closed
related to CDRIVER-1203 Include ismaster errors in server-sel... Closed
is related to CDRIVER-543 differentiate between network error a... Closed
Epic Link: TLS Improvements

 Description   

Take for example the following mongo invocation (with .pem files taken out of phongo's test suite, talking to the phongo vm created servers).

mongo 192.168.112.10:2100 -ssl -sslPEMKeyFile=client.pem -sslCAFile ca.pem  --sslPEMKeyPassword "Very secretive client.pem passphrase"

This produces:

2015-09-15T14:44:47.727+0100 E NETWORK  The server certificate does not match the host name 192.168.112.10
2015-09-15T14:44:47.729+0100 E QUERY    Error: socket exception [CONNECT_ERROR] for 

Using the C driver directly:

#include <bson.h>
#include <mongoc.h>
 
int main (int   argc, char *argv[])
{
    mongoc_client_t *client;
    bson_t bson;
    bson_error_t error;
    mongoc_ssl_opt_t ssl_opts = { "client.pem", "Very secretive client.pem passphrase", "ca.pem", ".", "crl.pem", false };
 
    mongoc_init();
 
    /* Create our MongoDB Client */
    client = mongoc_client_new("mongodb://192.168.112.10:2100/?ssl=true");
    mongoc_client_set_ssl_opts(client, &ssl_opts);
   
    /* do something with client ... */
    if (!mongoc_client_get_server_status(client, NULL, &bson, &error)) {
        printf("error: %s\n", error.message);
    }
   
    mongoc_client_destroy(client);
    mongoc_cleanup();
 
    return 0;
}

Currently, just like with any other connection failure, the driver just returns "error: No suitable servers found".

It does not tell me there was an error with SSL connection in general, and certainly not that it was because of a wrong name.

Please add more specific error messages for SSL connections, including, but not limited to:

  • The server that you're trying to talk to, does not have SSL turned on (but you connected to it with SSL).
  • The server that you're trying to talk to, does have SSL turned on (but you didn't set the option)
  • The server certificate does not match the hostname "192.168.112.10"
  • The server certificate didn't match with the client certificate
  • The certificate has been revoked.
  • Etc.

(it would also be helpful, if these same things showed up in the normal log that the server produces)



 Comments   
Comment by Githook User [ 18/Jul/16 ]

Author:

{u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}

Message: CDRIVER-841: Don't overwrite the connection error
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/afe224c16b4e0cf43e1b1fb0b1c09fef9ac6b42c

Comment by Hannes Magnusson [ 18/Jul/16 ]

We don't know if you are connecting to a server expecting plaintext/TLS, so can't upgrade the error message to say so. You can see that in the server logs, but the server just terminate the connection.

As of 1.4, these error messages should have been improved.

https://mongodbcr.appspot.com/76890001/

Generated at Wed Feb 07 21:10:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.