norman

norman

MongoDB and SSL ciphers - failed to connect

Hi there,

I have been fighting all day trying to connect to a MongoDB server in the Cloud (MongoDB Atlas) with no success so far.

MongoDB Atlas enforces SSL to connect to their servers and here is the issue as I am getting “failed to connect: ** (Mongo.Error) ssl connect: TLS Alert: handshake failure - {:tls_alert, ‘handshake failure’}”.

I can connect with no issue using the mongo-shell with the “–ssl” option so the connectivity is ok. When I check the logs on the server side I am getting “SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher”. I checked with openssl and the expected cipher is AES256-GCM-SHA384.

After looking for a solution online I saw that there was a few issue with Elixir and SSL connectivity. I tried to play with ssl_opts using something like :

Mongo.start_link(
database: "admin", 
hostname: "cluster-name.mongodb.net:27017",
ssl: true,
ssl_opts: [
  ciphers: ["{:aes_256_gcm, :sha384}"], #also tried with ["AES256-GCM-SHA384"]
  versions: [:"tlsv1.2"]
]
)

I had no success so far and I am not sure where to dig as I am not familiar with Elixir. Any help would be kindly appreciated.

Cheers,
Norman

Marked As Solved

voltone

voltone

To select cipher suites using the ciphers option, you can either use tuple format (no quotes) or an OpenSSL-style name as a charlist (in single quotes). Your code example uses tuple format, but with double quotes. Also, the tuple is incomplete: it does not have a key exchange and RNG entry.

So if the expected cipher suite is in fact AES256-GCM-SHA384, specify either:

ciphers: [{:rsa, :aes_256_gcm, :aead, :sha384}],

or

ciphers: ['AES256-GCM-SHA384'],

Erlang/OTP 21 and later does not enable this cipher suite by default, since it uses RSA key exchange which is considered week. If the server indeed only supports this option, and not the variant with ECDHE or DHE key exchange, then that would explain why you can’t connect, though it would be a weird choice on the server side.

Another thing to note is that Erlang/OTP 20.3 had an issue with AEAD ciphers, so you’d need to upgrade to 21 or to the latest patch level of 20.3 to use this cipher suite.

Also Liked

voltone

voltone

BTW, if you’ll forgive the shameless plug, I will be talking about this and more at Code BEAM Lite Amsterdam

Cadamis

Cadamis

Incredible, I’ve also been struggling all day to connect to an AWS Mongo cluster, and this cipher answer was EXACTLY what I needed. Thank you so much voltone!

norman

norman

Hi Voltone,

Thank you so much for your reply that actually solved the problem. I replaced the double quotes by the simple quotes in ciphers: ['AES256-GCM-SHA384'], as you suggested and it just worked !

I find a bit confusing that no parser let you know that the syntax is incorrect when you run the application but good to know for the future.

Thank you again for helping in solving this issue. We can close this case.

Cheers,
Norman

Where Next?

Popular in Questions Top

Darmani72
If I have a post route which an argument: post /my_post_route/:my_param1, MyController.my_post_handler How would get the post params ...
New
JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
Fl4m3Ph03n1x
About me? ( if you have nothing better to do than reading about some random guy in the internet :stuck_out_tongue: ) Hello all, this is ...
New
JorisKok
I have a server on AWS, and was running a load test using artillery. When looking at the Phoenix dashboard I see the Ports going to 100% ...
New
jay1
Why is it that the mnesia database isn’t the most preferred database for use in Elixir/Phoenix?
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
srinivasu
How to handle excepions in elixir? Suppose i have A, B, C ,D, E modules. and each module has get() function. A.get() method will call t...
New
chensan
I have a User schema with a :from_id field set to type :string: defmodule TweetBot.Repo.Migrations.CreateUsers do use Ecto.Migration ...
New
dotdotdotPaul
Okay, I’m having a heck of a time trying to figure out how to best handle the validation of belongs_to associations in Ecto. I’m sure I’...
New

Other popular topics Top

JeremM34
Hello, how can I check the Phoenix version ? Thanks !
New
electic
Hi, I am new to Elixir. I am trying to use the DateTime component to insert a date into MySQL however the there seems to be no way to fo...
New
fireproofsocks
Forgive me if this is obvious, but how does one delete a database record WITHOUT selecting it first? Ecto.Repo — Ecto v3.14.0 has exampl...
New
pmjoe
I have a relationship of love and hate with Elixir. Lots of things are just absolutely right, but there are some things that are kind of ...
New
boundedvariable
I am going through the kafka architecture. All the features what the kafka is providing are already in Erlang. I would like hear your opi...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
Brian
What is the proper way to load a module from a file in to IEX? In the python world, doing something like this pretty standard: from ....
New
shijith.k
I am trying to start a new phoenix project with elixir 1.9, but mix phx.new does not work. It says that ** (Mix) The task "phx.new" could...
New
hariharasudhan94
I would like to know what is the best IDE for elixir development?
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Latest on Elixir Forum

We're in Beta

About us Mission Statement