MongoDB and SSL ciphers - failed to connect

Hi there,

I have been fighting all day trying to connect to a MongoDB server in the Cloud (MongoDB Atlas) with no success so far.

MongoDB Atlas enforces SSL to connect to their servers and here is the issue as I am getting “failed to connect: ** (Mongo.Error) ssl connect: TLS Alert: handshake failure - {:tls_alert, ‘handshake failure’}”.

I can connect with no issue using the mongo-shell with the “–ssl” option so the connectivity is ok. When I check the logs on the server side I am getting “SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher”. I checked with openssl and the expected cipher is AES256-GCM-SHA384.

After looking for a solution online I saw that there was a few issue with Elixir and SSL connectivity. I tried to play with ssl_opts using something like :

database: "admin", 
hostname: "",
ssl: true,
ssl_opts: [
  ciphers: ["{:aes_256_gcm, :sha384}"], #also tried with ["AES256-GCM-SHA384"]
  versions: [:"tlsv1.2"]

I had no success so far and I am not sure where to dig as I am not familiar with Elixir. Any help would be kindly appreciated.


1 Like

To select cipher suites using the ciphers option, you can either use tuple format (no quotes) or an OpenSSL-style name as a charlist (in single quotes). Your code example uses tuple format, but with double quotes. Also, the tuple is incomplete: it does not have a key exchange and RNG entry.

So if the expected cipher suite is in fact AES256-GCM-SHA384, specify either:

ciphers: [{:rsa, :aes_256_gcm, :aead, :sha384}],


ciphers: ['AES256-GCM-SHA384'],

Erlang/OTP 21 and later does not enable this cipher suite by default, since it uses RSA key exchange which is considered week. If the server indeed only supports this option, and not the variant with ECDHE or DHE key exchange, then that would explain why you can’t connect, though it would be a weird choice on the server side.

Another thing to note is that Erlang/OTP 20.3 had an issue with AEAD ciphers, so you’d need to upgrade to 21 or to the latest patch level of 20.3 to use this cipher suite.

1 Like

Hi Voltone,

Thank you so much for your reply that actually solved the problem. I replaced the double quotes by the simple quotes in ciphers: ['AES256-GCM-SHA384'], as you suggested and it just worked !

I find a bit confusing that no parser let you know that the syntax is incorrect when you run the application but good to know for the future.

Thank you again for helping in solving this issue. We can close this case.


1 Like

Yeah, that’s an unfortunate behaviour of the ssl application. For posterity, here’s a bit more background:

Cipher suites can be passed in as lists of tuples, binaries or charlists. Tuples must match the 3- or 4-tuple values returned from :ssl.cipher_suites(), binaries must match the numerical IDs from the RFCs (e.g. <<0x00, 0x9D>>), and charlists must match one of the OpenSSL-style cipher suites actually known to ssl. Unrecognised entries are silently ignored, based on the assumption that they might be valid suites unavailable on the current VM, e.g. depending on OpenSSL version.

If no entries are left in the list after filtering, the default set is used (again, without warning). This happened in your case: the binary value (double quotes) you passed in did not match any RFC cipher suite ID, and so the result set was empty. I guess you are on OTP 21 or later, and therefore RSA key exchange suites are not included by default, so AES256-GCM-SHA384 was not enabled and the handshake failed.

BTW, if you’ll forgive the shameless plug, I will be talking about this and more at Code BEAM Lite Amsterdam


Incredible, I’ve also been struggling all day to connect to an AWS Mongo cluster, and this cipher answer was EXACTLY what I needed. Thank you so much voltone!