[CSHARP-3113] Getting "Authentication failed because the remote party has closed the transport stream" while connection mongodb V4.0 using C# driver. Created: 27/May/20  Updated: 27/Oct/23  Resolved: 22/Jun/20

Status: Closed
Project: C# Driver
Component/s: Configuration, Connectivity
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: naresh kandala Assignee: Vincent Kam (Inactive)
Resolution: Gone away Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Production


Issue Links:
Cloners
is cloned by CSHARP-3172 Getting "Authentication failed becaus... Closed
is cloned by CSHARP-3174 Getting "Authentication failed becaus... Closed

 Description   

We are trying to implement SSL authentication with the MongoDB 4.0 version using the below connection string and facing authentication issues.

 mongodb://username:password@hostname:27017/?authSource=admin&readPreference=primary&ssl=true&sslPEMKeyFile=C:/etc/ssl/client.pem"

At MongoDB log, we see the application connections are closing immediately with error message :

encountered a network error during SourceMessage: SocketException: no shared cipher

application log: 
2020-02-20 12:39:53 [Debug] Failed to authenticate HTTPS connection.
Properties: { EventId:

{ Id: 1 }

, SourceContext: "Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware", ConnectionId: "0HLTM5FID0INL", Application: "DCDService" }
MachineName: NB1999-01924579
System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__69_0(SslServerAuthenticationOptions arg1, CancellationToken arg2, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2](Func`5 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2](Func`5 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, Object state)
   at System.Net.Security.SslStream.AuthenticateAsServerAsync(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken)
   at Microsoft.AspNetCore.Server.Kestrel.Https.Internal.HttpsConnectionMiddleware.InnerOnConnectionAsync(ConnectionContext context)
 
 
 
 



 Comments   
Comment by Vincent Kam (Inactive) [ 03/Jun/20 ]

Hi naresh.kandala@lowes.com,

Thank you for reaching out! I'm sorry to hear that your application is experiencing connectivity issues.

I see that your connection string uses the sslPemKeyFile option: unfortunately the .NET driver does not support this option yet, so the client certificate will need to set programmatically.

One of the steps in setting the client certificate programmatically includes creating an X509Certificate2 object, and in order to do so, the client key MAY need to be converted to the PFX/PKCS12 format (see https://github.com/dotnet/runtime/issues/27346#issuecomment-419658415), although I am less certain about this: there may be a way to create an X509Certificate2 object directly from a PEM file. What I can definitely say is that for our own test suites, we use openssl to convert the client PEM file into a PFX/PKCS12 formatted file like so:

openssl pkcs12 -export -in "${CLIENT_PEM}" \
  -out "${MONGO_X509_CLIENT_P12}" \
  -name "Drivers Client Certificate" \
  -password "pass:${MONGO_X509_CLIENT_CERTIFICATE_PASSWORD}" 

Comment by Kalpana Majeti [ 27/May/20 ]

The application is .netCore 3.1 and using Mongo C# driver - 2.10.3

Please ignore the above error log. Below is the error we see in the mongoDB log

 
-05-26T12:59:09.440-0400 I NETWORK  [conn44904] end connection 172.29.140.200:63941 (36 connections now open)
2020-05-26T12:59:09.442-0400 I NETWORK  [listener] connection accepted from 172.29.140.200:63942 #44905 (37 connections now open)
2020-05-26T12:59:09.443-0400 I NETWORK  [conn44905] end connection 172.29.140.200:63942 (36 connections now open)
2020-05-26T12:59:09.955-0400 I NETWORK  [listener] connection accepted from 172.29.140.200:63943 #44906 (37 connections now open)
2020-05-26T12:59:09.956-0400 I NETWORK  [conn44906] end connection 172.29.140.200:63943 (36 connections now open)
2020-05-26T12:59:09.958-0400 I NETWORK  [listener] connection accepted from 172.29.140.200:63944 #44907 (37 connections now open)
2020-05-26T12:59:09.959-0400 I NETWORK  [conn44907] end connection 172.29.140.200:63944 (36 connections now open)
2020-05-26T12:59:10.471-0400 I NETWORK  [listener] connection accepted from 172.29.140.200:63945 #44908 (37 connections now open)
2020-05-26T12:59:10.472-0400 I NETWORK  [conn44908] end connection 172.29.140.200:63945 (36 connections now open)
2020-05-26T12:59:10.474-0400 I NETWORK  [listener] connection accepted from 172.29.140.200:63946 #44909 (37 connections now open)
2020-05-26T12:59:10.474-0400 I NETWORK  [conn44909] end connection 172.29.140.200:63946 (36 connections now open)
2020-05-26T12:59:10.986-0400 I NETWORK  [listener]
 
And below is what we see in the application:
 
System.TimeoutException: A timeout occured after 30000ms selecting a server using CompositeServerSelector{ Selectors = MongoDB.Driver.MongoClient+AreSessionsSupportedServerSelector, LatencyLimitingServerSelector

{ AllowedLatencyRange = 00:00:00.0150000 }

}. Client view of cluster state is { ClusterId : "1", ConnectionMode : "Automatic", Type : "Unknown", State : "Disconnected", Servers : [{ ServerId: "

{ ClusterId : 1, EndPoint : "Unspecified/lxmdbssisdev001.lowes.com:27017" }

", EndPoint: "Unspecified/lxmdbssisdev001.lowes.com:27017", State: "Disconnected", Type: "Unknown", HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server.
 ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
 

Generated at Wed Feb 07 21:44:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.