norman

norman

MongoDB and SSL ciphers - failed to connect

Hi there,

I have been fighting all day trying to connect to a MongoDB server in the Cloud (MongoDB Atlas) with no success so far.

MongoDB Atlas enforces SSL to connect to their servers and here is the issue as I am getting “failed to connect: ** (Mongo.Error) ssl connect: TLS Alert: handshake failure - {:tls_alert, ‘handshake failure’}”.

I can connect with no issue using the mongo-shell with the “–ssl” option so the connectivity is ok. When I check the logs on the server side I am getting “SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher”. I checked with openssl and the expected cipher is AES256-GCM-SHA384.

After looking for a solution online I saw that there was a few issue with Elixir and SSL connectivity. I tried to play with ssl_opts using something like :

Mongo.start_link(
database: "admin", 
hostname: "cluster-name.mongodb.net:27017",
ssl: true,
ssl_opts: [
  ciphers: ["{:aes_256_gcm, :sha384}"], #also tried with ["AES256-GCM-SHA384"]
  versions: [:"tlsv1.2"]
]
)

I had no success so far and I am not sure where to dig as I am not familiar with Elixir. Any help would be kindly appreciated.

Cheers,
Norman

Marked As Solved

voltone

voltone

To select cipher suites using the ciphers option, you can either use tuple format (no quotes) or an OpenSSL-style name as a charlist (in single quotes). Your code example uses tuple format, but with double quotes. Also, the tuple is incomplete: it does not have a key exchange and RNG entry.

So if the expected cipher suite is in fact AES256-GCM-SHA384, specify either:

ciphers: [{:rsa, :aes_256_gcm, :aead, :sha384}],

or

ciphers: ['AES256-GCM-SHA384'],

Erlang/OTP 21 and later does not enable this cipher suite by default, since it uses RSA key exchange which is considered week. If the server indeed only supports this option, and not the variant with ECDHE or DHE key exchange, then that would explain why you can’t connect, though it would be a weird choice on the server side.

Another thing to note is that Erlang/OTP 20.3 had an issue with AEAD ciphers, so you’d need to upgrade to 21 or to the latest patch level of 20.3 to use this cipher suite.

Also Liked

voltone

voltone

BTW, if you’ll forgive the shameless plug, I will be talking about this and more at Code BEAM Lite Amsterdam

Cadamis

Cadamis

Incredible, I’ve also been struggling all day to connect to an AWS Mongo cluster, and this cipher answer was EXACTLY what I needed. Thank you so much voltone!

norman

norman

Hi Voltone,

Thank you so much for your reply that actually solved the problem. I replaced the double quotes by the simple quotes in ciphers: ['AES256-GCM-SHA384'], as you suggested and it just worked !

I find a bit confusing that no parser let you know that the syntax is incorrect when you run the application but good to know for the future.

Thank you again for helping in solving this issue. We can close this case.

Cheers,
Norman

Where Next?

Popular in Questions Top

dotdotdotPaul
Okay, I'm having a heck of a time trying to figure out how to best handle the validation of belongs_to associations in Ecto. I'm sure I'...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New
openscript
Hello! Sorry for this astonishing simple question, but I’m really stuck. I try to set up the intellij-elixir plugin, but I don’t know ho...
New
nsuchy
Hi. I’ve noticed that Windows Powershell has it’s own IEX command and you cannot access Elixir’s IEX due to the conflict. This isn’t a cr...
New
lk-geimfari
What is most correct way to open, read and parse JSON file with poison? For example if we have example.json file in root of some projec...
New
stefanchrobot
What’s the safe way to decode a JSON string into a struct? I want to avoid calling String.to_atom. Jason.decode can give me a map with st...
New
vac
Hi, I'm quite new in Elixir and I'm trying to format a string to a PEM format. I have the certificate value like MIIDBTCCAe2...... and ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New

Other popular topics Top

JDanielMartinez
Hi! May someone helps me, please! I have two apps into an umbrella project: the first one is Database, which manages queries, and the se...
New
axelson
This post is a wiki (feel free to hit the edit button near the bottom right of this post to add your own changes!) This post collects co...
239 45766 226
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
_russellb
I want to try my hand at web scraping. What tools/libraries do I need to use. I’m hoping to turn this into something professional so don’...
New
lk-geimfari
What is most correct way to open, read and parse JSON file with poison? For example if we have example.json file in root of some projec...
New
mgjohns61585
Could someone help me? I'm making my first elixir program, number guessing game. I can't figure out how to convert the user's guess from ...
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
chrisalley
ExUnit now has describe blocks which is a welcome addition coming from RSpec. In the docs, it states that nested hierarchies of describe ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
AstonJ
by Lance Halvorsen Elixir and Phoenix are generating tremendous excitement as an unbeatable platform for building modern web application...
460 27162 124
New

We're in Beta

About us Mission Statement