[SERVER-17022] No SSL Session Caching may not be respected Created: 23/Jan/15  Updated: 18/Sep/15  Resolved: 08/Feb/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 2.4.12, 2.6.6
Fix Version/s: 2.6.8, 3.0.0-rc9, 3.1.0

Type: Bug Priority: Major - P3
Reporter: Peter Garafano (Inactive) Assignee: Spencer Jackson
Resolution: Done Votes: 8
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File SERVER-17022.cs    
Issue Links:
Depends
Related
is related to SERVER-10261 Disable SSL session caching on server... Closed
is related to SERVER-11612 Java driver problems with SSL session... Closed
Tested
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Steps To Reproduce:

Run MongoDB 2.4.6 on Linux with SSL, connecting from a Windows client running the 1.9.2 version of the C# driver.

Execute a script such that many connections are opened in parallel. (See attached C# class file)

This test will result in an error free run of the script.

Shutdown 2.4.6 and start 2.4.7 with otherwise identical settings.

Run the script again, this will result in errors such as:

Server Errors

Thu Jan 22 00:18:30.074 [conn13] ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized
Thu Jan 22 00:18:30.074 [conn13] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]

Client Errors

Authentication failed because the remote party has closed the transport stream.

Sprint: Security [00-02-20-15]
Participants:

 Description   
Issue Status as of Feb 09, 2015

ISSUE SUMMARY
Applications may be unable to reuse a session to a MongoDB instance when using a driver which uses TLS session tickets.

Currently, the C# driver is the only driver known to produce this issue.

Connection attempts meeting the following criteria may encounter this issue:

  • The connection is secured with SSL
  • The connection is closed and reopened using a TLS session ticket
  • The server must have been started with --sslCAFile

USER IMPACT
Attempting to reopen connections secured with SSL using an affected driver may result in the server closing the socket and emitting an error to its logs resembling the following message:

ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized

WORKAROUNDS
Disable the use of TLS session tickets in your driver. For the C# driver on Windows, set the ClientCacheTime registry key to 0. Note that this is a global setting which will affect all programs running on the machine. There are no known workarounds for other software environments.

AFFECTED VERSIONS
MongoDB production releases between 2.4.7 and 2.6.7, inclusive, are affected.

FIX VERSION
The fix is included in the 2.6.8 production release.

RESOLUTION DETAILS
OpenSSL requires an SSL session id context in order to perform peer validation when re-establishing a session,
whether from the session cache, or from a TLS session ticket. Because MongoDB disabled the session cache in
2.4.7 and unset the session id context, clients attempting to restore a session from a ticket would cause OpenSSL
to fail. To fix this, the SSL session cache has been re-enabled, and the session id context is saved.

Original description

Something in Windows SChannel doesn't respect the no SSL Session Caching change made in SERVER-10261. This breaks any MongoDB driver on Windows that uses SChannel.

The currently available workaround is to set the ClientCacheTime registry key to 0 to disable caching, however this is a system wide change which could have unforeseen consequences in a server environment.



 Comments   
Comment by Githook User [ 09/Feb/15 ]

Author:

{u'username': u'ramonfm', u'name': u'Ramon Fernandez', u'email': u'ramon.fernandez@mongodb.com'}

Message: SERVER-17022 Update assert code to avoid conflicts in v3.0 branch

(cherry picked from commit e6e989f7fcf70d5bf5a5645b6927ac7a889dd5b7)
Branch: v2.6
https://github.com/mongodb/mongo/commit/1dd33f490c47f8e4bc01f11931b62a463fe4fbca

Comment by Githook User [ 09/Feb/15 ]

Author:

{u'username': u'ramonfm', u'name': u'Ramon Fernandez', u'email': u'ramon.fernandez@mongodb.com'}

Message: SERVER-17022 Update assert code to avoid conflicts in v3.0 branch

(cherry picked from commit e6e989f7fcf70d5bf5a5645b6927ac7a889dd5b7)
Branch: v3.0
https://github.com/mongodb/mongo/commit/43ea13bb5995ed1a1907ccb9f49b76daba2b27b2

Comment by Githook User [ 09/Feb/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-17022 Re-enable SSL caching as it didn't fix SERVER-10261

(cherry picked from commit 74e5e2904304bef4b874c4ba68fe4e6671e1c12b)
Branch: v3.0
https://github.com/mongodb/mongo/commit/656c47bc864f5fa2a1c95fbdd2cf671d7d6ab669

Comment by Githook User [ 09/Feb/15 ]

Author:

{u'username': u'ramonfm', u'name': u'Ramon Fernandez', u'email': u'ramon.fernandez@mongodb.com'}

Message: SERVER-17022 Update assert code to avoid conflicts in v3.0 branch
Branch: master
https://github.com/mongodb/mongo/commit/e6e989f7fcf70d5bf5a5645b6927ac7a889dd5b7

Comment by Githook User [ 09/Feb/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-17022 Re-enable SSL caching as it didn't fix SERVER-10261

(cherry picked from commit 74e5e2904304bef4b874c4ba68fe4e6671e1c12b)
Branch: v2.6
https://github.com/mongodb/mongo/commit/78d52ff64110f5590e60554c4ba58a68772e61df

Comment by Githook User [ 08/Feb/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-17022 Re-enable SSL caching as it didn't fix SERVER-10261
Branch: master
https://github.com/mongodb/mongo/commit/74e5e2904304bef4b874c4ba68fe4e6671e1c12b

Comment by Mark Benvenuto [ 26/Jan/15 ]

The SCHANNEL_CRED structure has a member variable called dwSessionLifespan which controls the session cache timeout for an individual session. Would this work for the C# driver?

The number of milliseconds that Schannel keeps the session in its session cache. After this time has passed, any new connections between the client and the server require a new Schannel session. Set the value of this member to zero to use the default value of 36000000 milliseconds (ten hours).

Generated at Thu Feb 08 03:43:03 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.