[SERVER-39941] Report TLS handshake errors to client Created: 04/Mar/19  Updated: 08/Jan/24

Status: Backlog
Project: Core Server
Component/s: Networking
Affects Version/s: 4.1.8
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Oleg Pudeyev (Inactive) Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-33329 Server and Shell do not emit TLS "pro... Closed
is related to RUBY-1713 Topology flapping under load with agg... Closed
is related to SERVER-39970 Report all handshake errors to client Closed
Assigned Teams:
Server Security
Sprint: Security 2019-04-08
Participants:

 Description   

Currently when the server rejects a client connection during TLS handshake it reports no errors to the client, making it impossible to diagnose connection failures from the client side (they can only be diagnosed via reading server logs).

For example, given the certificates in https://github.com/p-mongo/tests/tree/master/certs, we can use openssl s_client and s_server functions to require certificate verification on the server side and connect without supplying a certificate:

speed% openssl s_server -port 4433 -Verify 1
 
speed% openssl s_client -connect :4443

Server side outputs in its terminal:

ERROR
140307916162112:error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate:../ssl/statem/statem_srvr.c:3664:
shutting down SSL
CONNECTION CLOSED

Client side outputs in its terminal:

---
140147908084800:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1528:SSL alert number 116

The alert mechanism referenced is the openssl's way of communicating errors between client and server during connection handshake.

Now if I connect to a mongod with s_client the same way:

speed% openssl s_client -connect :27017
 
...
read:errno=0

mongod closes the connection without supplying any reason why the connection was closed. The reason is logged in mongod log:

2019-03-04T13:07:11.146-0500 E NETWORK  [conn129] no SSL certificate provided by peer; connection rejected
2019-03-04T13:07:11.146-0500 I NETWORK  [conn129] Error receiving request from client: SSLHandshakeFailed: no SSL certificate provided by peer; connection rejected. Ending connection from 127.0.0.1:48388 (connection id: 129)

This reason should be communicated to the client using the openssl alert mechanism prior to closing the connection.

mongod was launched with:

speed% mlaunch init --single --dir /tmp/mdb-ssl --sslMode requireSSL --bin /usr/local/m/versions/4.1/ \
  --sslPEMKeyFile `pwd`/server.pem \
  --sslCAFile `pwd`/ca.pem \
  --sslClientCertificate `pwd`/client.pem


Generated at Thu Feb 08 04:53:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.