[SERVER-83695] Customer facing SSL certificate errors PyMongo v6.0: "Unsafe Legacy Renegotiation" Created: 28/Nov/23  Updated: 03/Feb/24  Resolved: 18/Dec/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Jib Adegunloye Assignee: Gabriel Marks
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to DRIVERS-2823 Ensure openssl legacy unsafe renegoti... Investigating
Assigned Teams:
Server Security
Operating System: ALL
Sprint: Security 2023-12-11, Security 2023-12-25
Participants:

 Description   

Linked Ticket: HELP-51899

Customer reports now being unable to connect to Mongo Server v6.0. Further troubleshooting showed: 

Customer installed pymongo with OCSP extension and is still facing the error. Please observe the below details shared by the customer.

after installing ocsp, when I tried to run the project code, here's the error,

raise ServerSelectionTimeoutError(
pymongo.errors.ServerSelectionTimeoutError: SSL handshake failed: test-shard-00-02.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')],SSL handshake failed: test-shard-00-01.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')],SSL handshake failed: test-shard-00-00.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')], Timeout: 30s, Topology Description: <TopologyDescription id: 655d9db56926ac5f551bf8d4, topology_type: ReplicaSetNoPrimary, servers: [<ServerDescription ('test-shard-00-00.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-00.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>, <ServerDescription ('test-shard-00-01.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-01.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>, <ServerDescription ('test-shard-00-02.vkupj.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect("SSL handshake failed: test-shard-00-02.vkupj.mongodb.net:27017[('SSL routines', '', 'unsafe legacy renegotiation disabled')]")>]>

 

Which should mean the server is attempting renegotiation. However, PyOpenSSL exposed the `OP_NO_RENEGOTATION` flag since 22.0.0 and the customer is on 23.2.0. We're thinking of supporting renegotation through pymongo by adding the OP_LEGACY_SERVER_CONNECT flag. 

 

This end result has led to two main questions: 

  1. Is this the correct deduction of the issue the customer is facing? Is there enough evidence from the HELP ticket to support that this may be server-side?
  2. Irregardless of the true issue the customer is facing, Is there anything wrong with introducing a flag to support OP_LEGACY_SERVER_CONNECT for server connection? Would that expose the client to a potential MITM attack?

 



 Comments   
Comment by Jib Adegunloye [ 28/Nov/23 ]

ping: spencer.jackson@mongodb.com 

Generated at Thu Feb 08 06:52:54 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.