[SERVER-28901] Undocumented problem with MONGODB-X509 authentication Created: 21/Apr/17 Updated: 27/Oct/23 Resolved: 31/Jul/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Question | Priority: | Minor - P4 |
| Reporter: | Joannis Orlandos [X] | Assignee: | Spencer Jackson |
| Resolution: | Gone away | Votes: | 0 |
| Labels: | authentication, driver, questions, x509 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
Connecting with IBM BlueMix, MongoDB 3.2.10, using the MongoKitten driver. |
||
| Attachments: |
|
| Backwards Compatibility: | Fully Compatible |
| Participants: |
| Description |
|
I'm the developer of the MongoKitten MongoDB driver for Swift. I'm creating a connection to MongoDB using the certificate provided by IBM BlueMix. I set up the certificate and connected successfully over SSL to the MongoDB 3.2.10 instance and attempted authenticating using the "MONGODB-X509" mechanism. The authentication gets rejected with the following message: "SSL support is required for the MONGODB-X509 mechanism.". I've been trying to find out what this means, because I am in fact connected over SSL to the server, so I'm thinking that the error message isn't describing the problem correctly. I've had to dive into the MongoDB server codebase to figure out what this means, and it seems that it's unable to get the SSLManager object. I haven't got a clue why and how I can improve my driver to successfully connect because I'm not familiar enough with the codebase to search for a solution and am hoping someone can enlighten me better and more efficiently than I can. |
| Comments |
| Comment by Spencer Jackson [ 31/Jul/17 ] | |||
|
Hi, I'm going to need to close out this ticket due to inactivity. Please feel free to reopen when you get more information! | |||
| Comment by Spencer Jackson [ 05/Jun/17 ] | |||
|
I just had a thought about this. Would it be possible for you to spin up a mongod locally and try your driver against it? Using MONGODB-X509 authentication with it should be reasonably straightforward. We have some test certificates in the source repository which we use for integration tests, which I'll attach. The mongod will need the following startup flags:
You can create the user you'll be authenticating as by running, with the shell:
| |||
| Comment by Joannis Orlandos [X] [ 17/May/17 ] | |||
|
I'm very certain that the TLS is working correctly and the bug is in my client, MongoKitten. I've managed to set up a connection to MongoDB servers including this one using TLS on requireSSL, including using a custom CA. The problem is not the TLS connection but the X509 authentication mechanism. When I try to connect my driver to the MongoDB instance over TLS, all is fine, with the custom certificate, until I trigger the X509 authentication mechanism. At this point I'm certain the driver is the issue, but the returned error seems out of place. I can track the issue to here, which suggest there is no SSL connection, which I know there is. So I'm missing a step in my driver but am unsure what. The MongoDB CLI client does work as expected with the same server(s). I'm currently unable to access the server, so I cannot test your command on the server that I did have X509 authentication set up on. I'll try to set up a second server with X509 in the coming days. | |||
| Comment by Spencer Jackson [ 16/May/17 ] | |||
|
Joannis, just following up. Are you still encountering this issue? | |||
| Comment by Spencer Jackson [ 28/Apr/17 ] | |||
|
I think I need more than client-side logs. The error you're getting should occur when the server hasn't been configured with TLS. I want to obtain a copy of your server's configuration, to ensure that it isn't behind some form of TLS terminating proxy. Can you run the following command in the mongo shell, and paste the output on this ticket?
Thanks! | |||
| Comment by Joannis Orlandos [X] [ 28/Apr/17 ] | |||
|
I don't have direct control over this instance. It's hosted by a third party and made available to me for driver development. Would the client-side logs suffice? I can log all incoming and outgoing Query and Reply messages formatted as ExtendedJSON if that helps. I don't think there is a problem with the MongoDB server but I can't find any information regarding the error. I'm connecting over SSL to a MongoDB instance and the authentication fails with the message "SSL support is required for the MONGODB-X509 mechanism." code 17 (protocol error). I think the error message is incorrect, but I'm not sure what this error means and why it occurs. | |||
| Comment by Spencer Jackson [ 24/Apr/17 ] | |||
|
Hi Joannis, the error message you're seeing is unusual. Can you provide me with the server's configuration file and/or startup arguments? Can you also provide me with a log file from the server, showing the server starting up, and then trying to handle a MONGODB-X509 authentication attempt initiated by the driver? Thanks! |