[GODRIVER-2112] GoDriver(1.7.0)/mongodump(version:100.4.1) failed to connect to mongodb cluster 4.0 in ssl mode Created: 31/Jul/21  Updated: 27/Oct/23  Resolved: 01/Sep/21

Status: Closed
Project: Go Driver
Component/s: None
Affects Version/s: 1.7.0
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Ye Liang Assignee: Benji Rewis (Inactive)
Resolution: Gone away Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

x86_64


Issue Links:
Related

 Description   

1, When I use GoDriver(1.7.0) to connect mongodb cluster 4.0 in ssl mode, the error occurs as below:

**Failed: can't create session: could not connect to server: server selection error: server selection timeout, current topology: \{ Type: Single, Servers: [{ Addr: 127.0.0.1:27017, Type: Unknown, Last error: connection() error occured during connection handshake: EOF }, ] }

2, As known that mongodump used the GoDriver. So, I also tried to use the lasted mongodump(version:100.4.1) to connect mongodb cluster 4.0 in ssl mode, it also has the same error:
the command is:

./mongodump.100.4.1 --host 127.0.0.1 --port=27017 --ssl --sslCAFile /compile/mongodb/ca.crt --sslAllowInvalidHostnames -u myuser -p Test_1234 --authenticationDatabase=admin -d mydb -c mycol --gzip --archive=/tmp/mydb.mycol.tar.gz
WARNING: --sslAllowInvalidCertificates and --sslAllowInvalidHostnames are deprecated, please use --tlsInsecure instead
Failed: can't create session: could not connect to server: server selection error: server selection timeout, current topology: { Type: Single, Servers: [{ Addr: 127.0.0.1:27017, Type: Unknown, Last error: connection() error occured during connection handshake: EOF }, ] }

3, About point 1 and point 2, the configuration in mongodb cluster mongos node is:
net:
ssl:
mode: requireSSL
disabledProtocols: TLS1_0,TLS1_1
sslCipherConfig: DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
setParameter:
opensslDiffieHellmanParameters: /CA/dh.pem

=> But, when I add AES256-GCM-SHA384:AES128-GCM-SHA256 in sslCipherConfig and restart node; all the connections(point 1 and point 2) become okay.

4, Question:
4-1 => Does the GoDriver(1.7.0)/mongodump(version:100.4.1) not support DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 when connect to mongodb cluster 4.0 in ssl mode ? can you help to confirm this?
4-2 => I don't want to use AES256-GCM-SHA384:AES128-GCM-SHA256 for weak security, How can I connect to mongodb cluster 4.0 with DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 in ssl mode ?



 Comments   
Comment by Benji Rewis (Inactive) [ 08/Sep/21 ]

No worries yeliang1006@163.com!

So I haven't been able to reproduce the error you're seeing on mongodump 100.5.0 or 100.4.1. Nor can I reproduce that server selection timeout on a sharded cluster with the same configuration as the one you've described with Go driver 1.7.0 or 1.7.1.

I used the godriver like this as below in my code.

Could you include the code you're using to connect to the Go driver? That might help me reproduce the issue.

Comment by Ye Liang [ 03/Sep/21 ]

So sorry for late reply.
actually, I tried mongodump verson (100.5.0) serveral days ago. but it still does not work. (same error as above).
I used the godriver like this as below in my code. => has the same error.
github.com/mongodb/mongo-tools-common — v4.2(the latested code)
go.mongodb.org/mongo-driver — v1.7.1
Did you test okay when use mongodump verson (100.5.0) ?

Comment by Backlog - Core Eng Program Management Team [ 01/Sep/21 ]

There hasn't been any recent activity on this ticket, so we're resolving it. Thanks for reaching out! Please feel free to comment on this if you're able to provide more information.

Comment by Benji Rewis (Inactive) [ 17/Aug/21 ]

Apologies for the delayed response yeliang1006@163.com !

We’re still actively investigating this issue, but I’ve had some trouble reproducing this error with both mongodump (100.5.0) and the raw Go driver (1.7.1) connected to a sharded cluster with the same setup as you’ve described.

Judging from the mongodump code, I believe the error you’re seeing is just a server selection timeout in the initial Connect to the cluster here.

It sounds like you’ve tried connecting to your sharded cluster just using the raw Go driver. Does that produce the same server selection timeout? And, could you share the code you’re using to connect to your cluster with the Go driver?

From what I can tell, we should support DHE-RSA-AES256-GMC-SHA384 as an SSL cipher config. I believe the stronger security is introducing more latency in the initial SSL handshake and causing a timeout. But, unless your latency is already very high, it’s odd that the slightly weaker security would succeed in connecting.

Comment by Ye Liang [ 04/Aug/21 ]

Thank you for you reply!

1,I tried to use Go driver 1.7.1, and still the same error:

Failed: can't create session: could not connect to server: server selection error: server selection timeout, current topology: { Type: Single, Servers: [{ Addr: 127.0.0.1:27017, Type: Unknown, Last error: connection() error occured during connection handshake: EOF }, ] }

2,Because there is no mongodump(100.5.0) in release notes yet; So, I build mongodump by myself:
github.com/mongodb/mongo-tools — r4.2.14
github.com/mongodb/mongo-tools-common — v4.2(the latested code)
go.mongodb.org/mongo-driver — v1.7.1

And, the same error also occurs:

./mongodump.godriver.1.7.1 --host 127.0.0.1 --port=27017 --ssl --sslCAFile /compile/mongodb/ca.crt --sslAllowInvalidHostnames -u rwuser -p Test_1234 --authenticationDatabase=admin -d mydb -c mycol --gzip --archive=/tmp/mydb.mycol.tar.gz
WARNING: --sslAllowInvalidCertificates and --sslAllowInvalidHostnames are deprecated, please use --tlsInsecure instead
Failed: can't create session: could not connect to server: server selection error: server selection timeout, current topology: { Type: Single, Servers: [{ Addr: 127.0.0.1:27017, Type: Unknown, Last error: connection() error occured during connection handshake: EOF }, ] }

=> Can you help to confirm this ?

Comment by Benji Rewis (Inactive) [ 03/Aug/21 ]

Thanks for your bug report yeliang1006@163.com!

That does sound like it might be an issue with the Go driver. My guess is that this server selection timeout is due to a bug discovered in 1.7.0, GODRIVER-2105, that will be fixed in Go driver version 1.7.1 and back ported to Go driver version 1.6.1.

This bug happens when copying copious amounts of data from an open cursor to a local copy under high network latency. I think that using DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 as the sslCipherConfig increases network latency and makes the bug visible. Using AES256-GCM-SHA384:AES128-GCM-SHA256 probably decreases latency (since it represents weaker security) and makes the server selection timeout less common.

mongodump should have a new version based on Go driver 1.7.1 once TOOLS-2932 and TOOLS-2880 are resolved. Upgrading to that mongodump version (will be 100.5.0) may resolve the issue, and if it doesn’t, we can reassess on this ticket.

Generated at Thu Feb 08 08:37:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.