[SERVER-66648] mongo client has inconsistent options for TLS/SSL when using +srv connection string Created: 21/May/22  Updated: 02/Aug/22  Resolved: 02/Aug/22

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Przemek Malkowski Assignee: Chris Kelly
Resolution: Won't Fix Votes: 0
Labels: mongo
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

Problem Statement/Rationale

There is a confusion between TLS vs SSL options for secure connection. According to the documentation, while using SSL options is considered deprecated, both ways are exactly identical in terms of functionality.

However, the client does not handle both equally, which may be very confusing to those who think TLS may be more secure.

Steps to Reproduce

Note the difference below, between using:{}
{}?tls=false&ssl=true

vs

?tls=true&ssl=false

$ mongo --host="mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=false&ssl=true"
MongoDB shell version v5.0.8
connecting to: mongodb://covid-19-shard-00-02.hip2i.mongodb.net:27017,covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017/covid19?authSource=admin&compressors=disabled&gssapiServiceName=mongodb&replicaSet=covid-19-shard-0&ssl=true&tls=false
Implicit session: session { "id" : UUID("77a4ef8a-53e3-414f-87b2-385b9bd283bf") }
MongoDB server version: 4.4.14
WARNING: shell and server versions do not match
================
Warning: the "mongo" shell has been superseded by "mongosh",
which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in
an upcoming release.
For installation instructions, see
https://docs.mongodb.com/mongodb-shell/install/
================
MongoDB Enterprise covid-19-shard-0:PRIMARY> 
 
vs
 
$ mongo --host="mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false"
MongoDB shell version v5.0.8
connecting to: mongodb://covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017,covid-19-shard-00-02.hip2i.mongodb.net:27017/covid19?authSource=admin&compressors=disabled&gssapiServiceName=mongodb&replicaSet=covid-19-shard-0&ssl=false&tls=true
{"t":{"$date":"2022-05-21T12:47:47.450Z"},"s":"I",  "c":"NETWORK",  "id":4333208, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"RSM host selection timeout","attr":{"replicaSet":"covid-19-shard-0","error":"FailedToSatisfyReadPreference: Could not find host matching read preference { mode: \"nearest\" } for set covid-19-shard-0"}}
*** You have failed to connect to a MongoDB Atlas cluster. Please ensure that your IP allowlist allows connections from your network.
Error: Could not find host matching read preference { mode: "nearest" } for set covid-19-shard-0, covid-19-shard-0/covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017,covid-19-shard-00-02.hip2i.mongodb.net:27017 :
connect@src/mongo/shell/mongo.js:372:17
@(connect):2:6
exception: connect failed
exiting with code 1

Expected Results

A similar test with mongosh gives consistent results:

$ mongosh "mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false"
Current Mongosh Log ID:    6288e053ca539b523e7e77fd
Connecting to:        mongodb+srv://<credentials>@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false&appName=mongosh+1.4.2
MongoParseError: All values of tls/ssl must be the same.
 
$ mongosh "mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=true"
Current Mongosh Log ID:    6288e05c90bfa6516e2dea9e
Connecting to:        mongodb+srv://<credentials>@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=true&appName=mongosh+1.4.2
Using MongoDB:        4.4.14
Using Mongosh:        1.4.2

Actual Results

When this is used: tls=true&ssl=false, mongo client doesn't connect to a server that requires TLS/SSL, but with tls=false&ssl=true, it works, and actually TLS IS used for the connection.



 Comments   
Comment by Chris Kelly [ 02/Aug/22 ]

Przemek,

Given that the legacy mongo shell is deprecated, I don't expect this one to be on the radar to be fixed. The net.tls settings provide identical functionality as the net.ssl options since MongoDB has always supported TLS 1.0 and later, so this sounds redundant.

Thanks for your report, and your attention to detail in describing this issue!

Regards,
Christopher

Comment by Przemek Malkowski [ 15/Jul/22 ]

Hi Chris,

Sorry for late response. 

Please notice that I used your public MongoDB servers in my example, connection string points to instance in *mongodb.net network. So, you should be able to check the mongod config from there

As seen in the example, your MongoDB Atlas cluster requires SSL/TLS to connect.

 

Now, mongo client should probably not accept ?tls=true&ssl=false params, as they contradict, right?

See the mongosh client message for consideration:

MongoParseError: All values of tls/ssl must be the same.

 

Comment by Chris Kelly [ 31/May/22 ]

Hi Przemek,

Just for some more context, would be helpful to get the following information:

  • Your mongod config for the node you are connecting to
  • How you know it's actually using TLS? (I'm interested to see your config file for more information)

I was able to reproduce this issue on 5.0.7 using the latest mongosh - I was able to connect to a standalone mongod using tls=false, ssl=true with TLS configured and set to preferTLS.

Generated at Thu Feb 08 06:06:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.