Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Issue Status as of Feb 09, 2015 ISSUE SUMMARY Applications may be unable to reuse a session to a MongoDB instance when using a driver which uses TLS session tickets. Currently, the C# driver is the only driver known to produce this issue. Connection attempts meeting the following criteria may encounter this issue: The connection is secured with SSL The connection is closed and reopened using a TLS session ticket The server must have been started with --sslCAFile USER IMPACT Attempting to reopen connections secured with SSL using an affected driver may result in the server closing the socket and emitting an error to its logs resembling the following message: ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized WORKAROUNDS Disable the use of TLS session tickets in your driver. For the C# driver on Windows, set the ClientCacheTime registry key to 0. Note that this is a global setting which will affect all programs running on the machine. There are no known workarounds for other software environments. AFFECTED VERSIONS MongoDB production releases between 2.4.7 and 2.6.7, inclusive, are affected. FIX VERSION The fix is included in the 2.6.8 production release. RESOLUTION DETAILS OpenSSL requires an SSL session id context in order to perform peer validation when re-establishing a session, whether from the session cache, or from a TLS session ticket. Because MongoDB disabled the session cache in 2.4.7 and unset the session id context, clients attempting to restore a session from a ticket would cause OpenSSL to fail. To fix this, the SSL session cache has been re-enabled, and the session id context is saved. Original description Something in Windows SChannel doesn't respect the no SSL Session Caching change made in SERVER-10261. This breaks any MongoDB driver on Windows that uses SChannel. The currently available workaround is to set the ClientCacheTime registry key to 0 to disable caching, however this is a system wide change which could have unforeseen consequences in a server environment.
xgen-internal-githook commented on Mon, 9 Feb 2015 21:53:43 +0000: Author: {u'username': u'ramonfm', u'name': u'Ramon Fernandez', u'email': u'ramon.fernandez@mongodb.com'} Message: SERVER-17022 Update assert code to avoid conflicts in v3.0 branch (cherry picked from commit e6e989f7fcf70d5bf5a5645b6927ac7a889dd5b7) Branch: v2.6 https://github.com/mongodb/mongo/commit/1dd33f490c47f8e4bc01f11931b62a463fe4fbca xgen-internal-githook commented on Mon, 9 Feb 2015 21:51:28 +0000: Author: {u'username': u'ramonfm', u'name': u'Ramon Fernandez', u'email': u'ramon.fernandez@mongodb.com'} Message: SERVER-17022 Update assert code to avoid conflicts in v3.0 branch (cherry picked from commit e6e989f7fcf70d5bf5a5645b6927ac7a889dd5b7) Branch: v3.0 https://github.com/mongodb/mongo/commit/43ea13bb5995ed1a1907ccb9f49b76daba2b27b2 xgen-internal-githook commented on Mon, 9 Feb 2015 21:51:22 +0000: Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'} Message: SERVER-17022 Re-enable SSL caching as it didn't fix SERVER-10261 (cherry picked from commit 74e5e2904304bef4b874c4ba68fe4e6671e1c12b) Branch: v3.0 https://github.com/mongodb/mongo/commit/656c47bc864f5fa2a1c95fbdd2cf671d7d6ab669 xgen-internal-githook commented on Mon, 9 Feb 2015 21:40:18 +0000: Author: {u'username': u'ramonfm', u'name': u'Ramon Fernandez', u'email': u'ramon.fernandez@mongodb.com'} Message: SERVER-17022 Update assert code to avoid conflicts in v3.0 branch Branch: master https://github.com/mongodb/mongo/commit/e6e989f7fcf70d5bf5a5645b6927ac7a889dd5b7 xgen-internal-githook commented on Mon, 9 Feb 2015 17:07:47 +0000: Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'} Message: SERVER-17022 Re-enable SSL caching as it didn't fix SERVER-10261 (cherry picked from commit 74e5e2904304bef4b874c4ba68fe4e6671e1c12b) Branch: v2.6 https://github.com/mongodb/mongo/commit/78d52ff64110f5590e60554c4ba58a68772e61df xgen-internal-githook commented on Sun, 8 Feb 2015 17:56:26 +0000: Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'} Message: SERVER-17022 Re-enable SSL caching as it didn't fix SERVER-10261 Branch: master https://github.com/mongodb/mongo/commit/74e5e2904304bef4b874c4ba68fe4e6671e1c12b mark.benvenuto commented on Mon, 26 Jan 2015 19:43:18 +0000: The SCHANNEL_CRED structure has a member variable called dwSessionLifespan which controls the session cache timeout for an individual session. Would this work for the C# driver? The number of milliseconds that Schannel keeps the session in its session cache. After this time has passed, any new connections between the client and the server require a new Schannel session. Set the value of this member to zero to use the default value of 36000000 milliseconds (ten hours).
Run MongoDB 2.4.6 on Linux with SSL, connecting from a Windows client running the 1.9.2 version of the C# driver. Execute a script such that many connections are opened in parallel. (See attached C# class file) This test will result in an error free run of the script. Shutdown 2.4.6 and start 2.4.7 with otherwise identical settings. Run the script again, this will result in errors such as: Server Errors Thu Jan 22 00:18:30.074 [conn13] ERROR: error:140D9115:SSL routines:SSL_GET_PREV_SESSION:session id context uninitialized Thu Jan 22 00:18:30.074 [conn13] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR] Client Errors Authentication failed because the remote party has closed the transport stream.