[SERVER-45136] Clarify SSL error instead of "HostUnreachable: Connection closed by peer" Created: 13/Dec/19  Updated: 27/Oct/23  Resolved: 23/Dec/19

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Dan Dascalescu Assignee: Spencer Jackson
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Operating System: ALL
Sprint: Security 2019-12-30
Participants:

 Description   

I've wasted again a good amount of time due to an ambiguous error while trying to connect to my local MongoDB instance:

 

$ mongo mongodb://127.0.0.1:8358
MongoDB shell version v4.2.2
connecting to: mongodb://127.0.0.1:8358/?compressors=disabled&gssapiServiceName=mongodb
2019-12-13T14:18:45.894-0500 I  NETWORK  [js] DBClientConnection failed to receive message from 127.0.0.1:8358 - HostUnreachable: Connection closed by peer
2019-12-13T14:18:45.894-0500 E  QUERY    [js] Error: network error while attempting to run command 'isMaster' on host '127.0.0.1:8358'  :
connect@src/mongo/shell/mongo.js:341:17
@(connect):2:6
2019-12-13T14:18:45.896-0500 F  -        [main] exception: connect failed
2019-12-13T14:18:45.896-0500 E  -        [main] exiting with code 1

Initially I thought I got the port wrong, but replacing that with a random number yielded a different error, "connection attempt failed: SocketException: Error connecting to".

I had to look in the server log to see the real error:

Error receiving request from client: SSLHandshakeFailed: The server is configured to only allow SSL connections. Ending connection from 127.0.0.1:45476 (connection id: 1)

That is what should have been displayed by the client.



 Comments   
Comment by Spencer Jackson [ 23/Dec/19 ]

HI dandv, I'm afraid the behaviour you've described isn't currently possible given the design of the MongoDB wire protocol. Servers in requireTLS mode are not expected to parse messages that aren't protected by TLS. In order to synthesize a reply outside of the command dispatch layer, the server would need to extract information from the request.

If you have any further questions, please feel free to re-open or reply.

Comment by Carl Champain (Inactive) [ 18/Dec/19 ]

Hi dandv,

Thanks for the report.
I'm passing this ticket along to the Security team for additional investigation.

Kind regards,
Carl
 

Generated at Thu Feb 08 05:07:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.