[SERVER-10261] Disable SSL session caching on server to avoid Java driver SSL connection problems Created: 19/Jul/13 Updated: 11/Jul/16 Resolved: 06/Nov/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking |
| Affects Version/s: | 2.4.5 |
| Fix Version/s: | 2.4.7, 2.5.3 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Jeffrey Yemin | Assignee: | Andreas Nilsson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Package versions: ]$ rpm -qa | grep 'mongo|openssl|sasl' | sort |
||
| Issue Links: |
|
||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||
| Description |
|
Issue Status as of December 12th, 2013 ISSUE SUMMARY USER IMPACT It is present in versions of MongoDB prior to and including v2.4.6. SOLUTION WORKAROUNDS PATCHES Original DescriptionIt's possible to generate SSL handshake errors with a trivial Java program: https://gist.github.com/anonymous/a2c4a8ac8f9e38e22edf. This program loops indefinitely, opening a new SSL socket on each iteration and sending a single write (which initiates the handshake). It eventually generates this exception: http://cl.ly/image/0A2a0j0L0S1i. Note that the alert descriptions are not consistent, suggesting some sort of corruption. The number of iterations before an error is not consistent, and it doesn't occur if SSL debugging is enabled in the client. |
| Comments |
| Comment by Githook User [ 09/Feb/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 74e5e2904304bef4b874c4ba68fe4e6671e1c12b) |
| Comment by Githook User [ 09/Feb/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 74e5e2904304bef4b874c4ba68fe4e6671e1c12b) |
| Comment by Githook User [ 08/Feb/15 ] |
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: |
| Comment by Andreas Nilsson [ 06/Nov/13 ] |
|
Consider this ticket closed for 2.4.7 and 2.5.3. Creating a new one for 2.4.9. |
| Comment by Jeffrey Yemin [ 28/Oct/13 ] |
|
This bug is still reproducible with 2.4.7, though not with 2.5.3. |
| Comment by auto [ 26/Sep/13 ] |
|
Author: {u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: |
| Comment by auto [ 24/Sep/13 ] |
|
Author: {u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: |
| Comment by Jeffrey Yemin [ 21/Sep/13 ] |
|
It looks like we have to do this server-side, cailin.nelson@10gen.com. |
| Comment by Andreas Nilsson [ 21/Sep/13 ] |
|
One option could be to disable session caching https://www.openssl.org/docs/ssl/SSL_CTX_set_session_cache_mode.html |
| Comment by Andreas Nilsson [ 30/Jul/13 ] |
|
1.6.0_51 |
| Comment by Jeffrey Yemin [ 30/Jul/13 ] |
|
What version of Java are you testing with? |
| Comment by Andreas Nilsson [ 30/Jul/13 ] |
|
ok, noticed that I also get exceptions only less often. It seems to be a race between the client and server closing their sockets. Not sure if the bug is on the client or server side, it seems the Java stack has had some troubles with tearing down connections before. http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6618387 Workarounds: Wireshark dumps indicates that the error occurs if the client closes the socket before it has received a TCP RST from the server. When the next connection is created the Java session caching mechanism will have a messed up state to work with and the error occurs. |
| Comment by Andreas Nilsson [ 30/Jul/13 ] |
|
Fix does not resolve issue completely. |
| Comment by auto [ 22/Jul/13 ] |
|
Author: {u'username': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: This is a partial backport of |
| Comment by Eric Milkie [ 22/Jul/13 ] |
|
Andreas found that The problem appears to be that we are not hanging up the socket as clean as we could be on the server, so on the client side the session cache is left in a non-happy state and the next connection attempt then fails. This would only affect the Java driver because it's the only driver I'm aware of that turns on SSL session caching. |