[CXX-2388] tls=true fails Created: 13/Oct/21  Updated: 27/Oct/23  Resolved: 13/Dec/21

Status: Closed
Project: C++ Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Vlad Rachev (Inactive) Assignee: Kevin Albertson
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Hello, I ran into an issue where setting tls=true in the connection string is erroring, but using ssl=true with no other changes succeeds. According to the docs these should be identical.

In the failing case, the connection string is:

'mongodb://username:password@10.2.0.200:27017/admin?appName=Genny&maxPoolSize=2000&replicaSet=rs0&socketTimeoutMS=-1&tls=true&tlsAllowInvalidHostnames=true'

and logs:

[2021/09/28 15:50:10.698] 15:50:10Z>  [2021-09-28 15:50:10.660325] [0x00007fa7e25d2700] [error]   Unexpected std::exception: No suitable servers found: `serverSelectionTimeoutMS` expired: [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed]: failed to create a client session
 [2021/09/28 15:50:10.698] 15:50:10Z>  [2021-09-28 15:50:10.660408] [0x00007fa83f68c700] [error]   Unexpected std::exception: No suitable servers found: `serverSelectionTimeoutMS` expired: [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed]: failed to create a client session
 [2021/09/28 15:50:10.698] 15:50:10Z>  [2021-09-28 15:50:10.660445] [0x00007fa81c646700] [error]   Unexpected std::exception: No suitable servers found: `serverSelectionTimeoutMS` expired: [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed]: failed to create a client session
 [2021/09/28 15:50:10.698] 15:50:10Z>  [2021-09-28 15:50:10.660489] [0x00007fa81ce47700] [error]   Unexpected std::exception: No suitable servers found: `serverSelectionTimeoutMS` expired: [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed]: failed to create a client session
....

In the successful case, the connection string is:

'mongodb://username:password@10.2.0.200:27017/admin?appName=Genny&maxPoolSize=2000&replicaSet=rs0&socketTimeoutMS=-1&ssl=true&tlsAllowInvalidHostnames=true'

As seen, the tls=true and ssl=true are the only changes.



 Comments   
Comment by PM Bot [ 13/Dec/21 ]

There hasn't been any recent activity on this ticket, so we're resolving it. Thanks for reaching out! Please feel free to comment on this if you're able to provide more information.

Comment by Kevin Albertson [ 26/Nov/21 ]

Hi vlad.rachev, apologies for the slow response.

I was not able to repro with an isolated example in the C++ driver. The repro attempt is here. The repro starts mongod with --tlsMode requireTLS and is able to connect with TLS using URIs with both ssl=true and tls=true.

A "certificate verify failed" error is an indication that the tlsCAFile (or the equivalent sslCertificateAuthorityFile) is not configured.

The "ssl=true" URI does not appear to configure TLS options in Genny.

Here is the log output of a dry-run with a URI containing tls=true. It logs "Adding tls options to pool...":

./run-genny workload -- dry-run --workload-file ./src/workloads/scale/InsertRemove.yml --mongo-uri "mongodb://localhost:27017/?tls=true" --verbosity debug
[info ] [genny.curator       ] Moved existing metrics (presumably from a prior run). cwd=/Users/kevin.albertson/code/genny existing=build/WorkloadOutput/CedarMetrics moved_to=build/WorkloadOutput/CedarMetrics-2021-11-26T231313Z-050e7617 timestamp=2021-11-26T23:13:13Z
[info ] [genny.curator       ] Starting poplar grpc in the background. command=['/Users/kevin.albertson/code/genny/build/curator/curator', 'poplar', 'grpc'] cwd=/Users/kevin.albertson/code/genny timestamp=2021-11-26T23:13:13Z
[curator] 2021/11/26 18:13:13 [p=info]: starting poplar gRPC service at 'localhost:2288'
[2021-11-26 18:13:13.910198] [0x000000010afb9e00] [info]    Constructing pool with MongoURI 'mongodb://localhost:27017/?appName=Genny&tls=true'
[2021-11-26 18:13:13.910396] [0x000000010afb9e00] [debug]   Using CA file '/Users/kevin.albertson/code/drivers-evergreen-tools/.evergreen/x509gen/ca.pem' for TLS
[2021-11-26 18:13:13.910438] [0x000000010afb9e00] [debug]   Adding tls options to pool...
Workload context constructed without errors.
[curator] 2021/11/26 18:13:14 [p=info]: poplar rpc service terminated

Here is the output of a dry-run with a URI containing ssl=true. It does not log "Adding tls options to pool...":

% ./run-genny workload -- dry-run --workload-file ./src/workloads/scale/InsertRemove.yml --mongo-uri "mongodb://localhost:27017/?ssl=true" --verbosity debug
[info ] [genny.curator       ] Moved existing metrics (presumably from a prior run). cwd=/Users/kevin.albertson/code/genny existing=build/WorkloadOutput/CedarMetrics moved_to=build/WorkloadOutput/CedarMetrics-2021-11-26T231234Z-5072575a timestamp=2021-11-26T23:12:34Z
[info ] [genny.curator       ] Starting poplar grpc in the background. command=['/Users/kevin.albertson/code/genny/build/curator/curator', 'poplar', 'grpc'] cwd=/Users/kevin.albertson/code/genny timestamp=2021-11-26T23:12:34Z
[curator] 2021/11/26 18:12:34 [p=info]: starting poplar gRPC service at 'localhost:2288'
[2021-11-26 18:12:34.877895] [0x0000000109305e00] [info]    Constructing pool with MongoURI 'mongodb://localhost:27017/?appName=Genny&ssl=true'
Workload context constructed without errors.
[curator] 2021/11/26 18:12:35 [p=info]: poplar rpc service terminated

I believe adding a check for "ssl" here should make the behavior consistent.

Comment by Vlad Rachev (Inactive) [ 26/Oct/21 ]

1.17.0 according to https://github.com/10gen/vcpkg/blob/master/ports/libmongoc/CONTROL.

Btw I should've mentioned that this isn't a priority for me, just something I noticed and wasn't sure if it was known.

Comment by Kevin Albertson [ 18/Oct/21 ]

vlad.rachev which version of the C driver are you using? Support for the tls options was added in the C driver in CDRIVER-2869.

Comment by Vlad Rachev (Inactive) [ 13/Oct/21 ]

If it helps we're on 3.6.0. 

Generated at Wed Feb 07 22:05:46 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.