Info

These tests used the following server config: $ cat config.txt bind_ip=localhost port=27017 ipv6=true sslOnNormalPorts=true sslWeakCertificateValidation=true sslCAFile=/Users/shane/git/mongo-python-driver/test/certificates/ca.pem sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/server.pem dbpath=/var/folders/lm/b1r2f8p503xg40r6x2rqv7fr0000gp/T/mongo-oy2q7nj0 setParameter = enableTestCommands=1 And the self signed certificates from the Python driver: https://github.com/mongodb/mongo-python-driver/tree/3.6.1/test/certificates When I start a 3.7.9 server with SSL and attempt to connect without --allowInvalidCertificates I get an error as expected: $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem 2018-05-02T13:01:36.858-0700 I NETWORK [main] Secure Transport Initialized 2018-05-02T13:01:36.858-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client MongoDB shell version v3.7.9 connecting to: mongodb://127.0.0.1:27017 2018-05-02T13:01:36.927-0700 E NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected 2018-05-02T13:01:36.928-0700 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED; connection rejected : connect@src/mongo/shell/mongo.js:251:13 @(connect):1:6 exception: connect failed This error message is a little bit less clear than the OpenSSL error you get in 3.4: $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem MongoDB shell version v3.4.14 connecting to: mongodb://127.0.0.1:27017 2018-05-02T13:03:43.607-0700 E NETWORK [thread1] SSL peer certificate validation failed: self signed certificate in certificate chain 2018-05-02T13:03:43.610-0700 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for SSL peer certificate validation failed: self signed certificate in certificate chain : connect@src/mongo/shell/mongo.js:240:13 @(connect):1:6 exception: connect failed With --sslAllowInvalidCertificates the connection succeeds: $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates 2018-05-02T13:16:06.009-0700 I NETWORK [main] Secure Transport Initialized 2018-05-02T13:16:06.009-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client MongoDB shell version v3.7.9 connecting to: mongodb://127.0.0.1:27017 2018-05-02T13:16:06.086-0700 W NETWORK [js] SSL peer certificate validation failed: Certificate trust failure: CSSMERR_TP_NOT_TRUSTED MongoDB server version: 3.7.9 Server has startup warnings: ... However, starting a 3.4 server with SSL and attempting to connect with the 3.7.9 mongo shell results in an error: $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates 2018-05-02T13:03:50.995-0700 I NETWORK [main] Secure Transport Initialized 2018-05-02T13:03:50.995-0700 I NETWORK [main] Client Certificate Name: C=US,ST=California,L=Palo Alto,O=,OU=Drivers,CN=client MongoDB shell version v3.7.9 connecting to: mongodb://127.0.0.1:27017 2018-05-02T13:03:51.037-0700 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: Secure.Transport: -9801 : connect@src/mongo/shell/mongo.js:251:13 @(connect):1:6 exception: connect failed Starting a 3.7.9 server with SSL and attempting to connect with the 3.4 mongo shell also fails: $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates MongoDB shell version v3.4.14 connecting to: mongodb://127.0.0.1:27017 2018-05-02T13:11:59.988-0700 E QUERY [thread1] Error: socket exception [CLOSED] for 127.0.0.1:27017 : connect@src/mongo/shell/mongo.js:240:13 @(connect):1:6 exception: connect failed Is this expected?

Top User Comments

shane.harvey commented on Wed, 2 May 2018 22:06:54 +0000: Duplicate of SERVER-33329 shane.harvey commented on Wed, 2 May 2018 22:05:51 +0000: I think this was fixed by SERVER-33329. Starting a 3.4 server with SSL and attempting to connect with the latest mongo shell results in a clearer error: $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.7.9-88-g17e5914/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates MongoDB shell version v3.7.9-88-g17e5914 connecting to: mongodb://127.0.0.1:27017 2018-05-02T15:02:45.482-0700 E QUERY [js] Error: couldn't connect to server 127.0.0.1:27017, connection attempt failed: SocketException: unsupported protocol : connect@src/mongo/shell/mongo.js:251:13 @(connect):1:6 exception: connect failed Starting the latest server with SSL and attempting to connect with the 3.4 mongo shell fails because TLS 1.0 is disabled: $ /Users/shane/Downloads/mongodb-osx-x86_64-enterprise-3.4.14/bin/mongo --ssl --sslPEMKeyFile=/Users/shane/git/mongo-python-driver/test/certificates/client.pem --sslAllowInvalidCertificates MongoDB shell version v3.4.14 connecting to: mongodb://127.0.0.1:27017 2018-05-02T15:02:06.473-0700 E NETWORK [thread1] SSL: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version 2018-05-02T15:02:06.474-0700 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for : connect@src/mongo/shell/mongo.js:240:13 @(connect):1:6 exception: connect failed

Steps to Reproduce