0

I'm using monoc 1.2.0 successfully, I'm now trying to add an SSL enabled connection in a two of modes:

  1. Only require SSL no certificate check
  2. Provide certificate and verify it including hostname

For 1 I get segmentation fault:

#0 0x00002ac83368e3c8 in ssl23_connect () from libarepbase.so
#1 0x00002ac83aedb8fc in ?? () from /usr/lib64/libssl.so.10
#2 0x00002ac83ac78423 in mongoc_stream_tls_do_handshake () from libmongoc-1.0.so.0
#3 0x00002ac83ac527f3 in mongoc_async_cmd_tls_setup () from libmongoc-1.0.so.0
#4 0x00002ac83ac5226c in _mongoc_async_cmd_phase_setup () from libmongoc-1.0.so.0
#5 0x00002ac83ac5241d in mongoc_async_cmd_run () from libmongoc-1.0.so.0
#6 0x00002ac83ac51dbc in mongoc_async_run () from libmongoc-1.0.so.0
#7 0x00002ac83ac6f47c in mongoc_topology_scanner_work () from libmongoc-1.0.so.0
#8 0x00002ac83ac6d4d8 in _mongoc_topology_run_scanner () from libmongoc-1.0.so.0
#9 0x00002ac83ac6d5f4 in mongoc_topology_select () from libmongoc-1.0.so.0
#10 0x00002ac83ac59351 in mongoc_cluster_select_by_optype () from libmongoc-1.0.so.0
#11 0x00002ac83ac5e126 in _mongoc_cursor_next () from libmongoc-1.0.so.0
#12 0x00002ac83ac5e635 in mongoc_cursor_next () from libmongoc-1.0.so.0
#13 0x00002ac83ac54e19 in _mongoc_client_command_simple_with_hint () from libmongoc-1.0.so.0
#14 0x00002ac83ac54eeb in mongoc_client_command_simple () from libmongoc-1.0.so.0
#15 0x00002ac83a80d983 in mongodb_new_client () from libarepmongodb.so

For 2 I get: No suitable servers found ('serverselectiontryonce' set) and error code: 120414

The server conf is:

net:
    ssl:
        mode: requireSSL                            
        PEMKeyFile: /etc/mongodb-ssl.pem

and the cert has the correct hostname (server CN). The code looks a bit like this with ssl=true in the url to start the client and the line that updates pem_file is not being executed for mode 1:

mongoc_ssl_opt_t ssl_opts = *mongoc_ssl_opt_get_default();
ssl_opts.weak_cert_validation = TRUE;
ssl_opts.pem_file = "path to pem here";
mongoc_client_set_ssl_opts(client, &ssl_opts);
bool ret = FALSE;
bson_t cmd = BSON_INITIALIZER;
bson_t reply;

BSON_APPEND_INT32 (&cmd, "buildInfo", 1);

ret = mongoc_client_command_simple (client, "admin", &cmd, NULL, &reply, error);`

When I run: /mongo host/admin -u user -p pass --ssl --sslAllowInvalidCertificates I can login but I see: 2017-03-28T18:14:36.149+0300 W NETWORK [thread1] SSL peer certificate validation failed: self signed certificate But I guess this is since I'm using self signed and ssl_opts.weak_cert_validation = TRUE should handle it?

jww
  • 97,681
  • 90
  • 411
  • 885
sagioto
  • 251
  • 1
  • 5
  • 16
  • *"... and the cert has the correct hostname (server CN)"* - ***`CN=www.example.com`*** is probably wrong. Hostnames always go in the *SAN*. If its present in the *CN*, then it must be present in the *SAN* too (you have to list it twice). For more rules and reasons, see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) Two other items of interest: (1) TLS 1.0 and above; and (2) Server Name Indication (SNI). – jww Mar 29 '17 at 09:55
  • Thanks for the awesome input regarding the SSL setup, but there's still an issue with the mongoc driver, if the pem_file argument is left empty I get a seg fault even If I don't want to use a pem file – sagioto Apr 02 '17 at 17:53

0 Answers0