[SERVER-34813] SocketException: Secure.Transport: -9801 connecting from 3.7.9 shell to 3.4 server with SSL on Mac Created: 02/May/18  Updated: 02/Feb/21  Resolved: 02/May/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Shane Harvey Assignee: David Katz
Resolution: Duplicate Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate
duplicates SERVER-33329 Server and Shell do not emit TLS "pro... Closed
Operating System: ALL
Participants:

 Description   

These tests used the following server config:

$ cat config.txt
bind_ip=localhost
port=27017
ipv6=true
sslOnNormalPorts=true
sslWeakCertificateValidation=true
sslCAFile=/Users/shane/git/mongo-python-driver/test/certificates/ca.pem
sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/server.pem
dbpath=/var/folders/lm/b1r2f8p503xg40r6x2rqv7fr0000gp/T/mongo-oy2q7nj0
setParameter = enableTestCommands=1

And the self signed certificates from the Python driver: https://github.com/mongodb/mongo-python-driver/tree/3.6.1/test/certificates

When I start a 3.7.9 server with SSL and attempt to connect without --allowInvalidCertificates I get an error as expected:

$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem
2018-05-02T13:01:36.858-0700 I NETWORK  [main] Secure Transport Initialized
2018-05-02T13:01:36.858-0700 I NETWORK  [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
MongoDB shell version v3.7.9
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:01:36.927-0700 E NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected
2018-05-02T13:01:36.928-0700 E QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed

This error message is a little bit less clear than the OpenSSL error you get in 3.4:

$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem
MongoDB shell version v3.4.14
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:03:43.607-0700 E NETWORK  [thread1] SSL peer certificate validation failed: self signed certificate in certificate chain
2018-05-02T13:03:43.610-0700 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate in certificate chain :
connect@src/mongo/shell/mongo.js:240:13
@(connect):1:6
exception: connect failed

With --sslAllowInvalidCertificates the connection succeeds:

$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
2018-05-02T13:16:06.009-0700 I NETWORK  [main] Secure Transport Initialized
2018-05-02T13:16:06.009-0700 I NETWORK  [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
MongoDB shell version v3.7.9
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:16:06.086-0700 W NETWORK  [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED
MongoDB server version: 3.7.9
Server has startup warnings:
...

However, starting a 3.4 server with SSL and attempting to connect with the 3.7.9 mongo shell results in an error:

$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
2018-05-02T13:03:50.995-0700 I NETWORK  [main] Secure Transport Initialized
2018-05-02T13:03:50.995-0700 I NETWORK  [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client
MongoDB shell version v3.7.9
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:03:51.037-0700 E QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Secure.Transport: -9801 :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed

Starting a 3.7.9 server with SSL and attempting to connect with the 3.4 mongo shell also fails:

$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
MongoDB shell version v3.4.14
connecting to: mongodb://127.0.0.1:27017
2018-05-02T13:11:59.988-0700 E QUERY    [thread1] Error: socket exception [CLOSED] for 127.0.0.1:27017 :
connect@src/mongo/shell/mongo.js:240:13
@(connect):1:6
exception: connect failed

Is this expected?



 Comments   
Comment by Shane Harvey [ 02/May/18 ]

Duplicate of SERVER-33329

Comment by Shane Harvey [ 02/May/18 ]

I think this was fixed by SERVER-33329.

Starting a 3.4 server with SSL and attempting to connect with the latest mongo shell results in a clearer error:

$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9-88-g17e5914/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
MongoDB shell version v3.7.9-88-g17e5914
connecting to: mongodb://127.0.0.1:27017
2018-05-02T15:02:45.482-0700 E QUERY    [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: unsupported protocol :
connect@src/mongo/shell/mongo.js:251:13
@(connect):1:6
exception: connect failed

Starting the latest server with SSL and attempting to connect with the 3.4 mongo shell fails because TLS 1.0 is disabled:

$ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates
MongoDB shell version v3.4.14
connecting to: mongodb://127.0.0.1:27017
2018-05-02T15:02:06.473-0700 E NETWORK  [thread1] SSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
2018-05-02T15:02:06.474-0700 E QUERY    [thread1] Error: socket exception [CONNECT_ERROR] for  :
connect@src/mongo/shell/mongo.js:240:13
@(connect):1:6
exception: connect failed

Generated at Thu Feb 08 04:37:56 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.