norman
MongoDB and SSL ciphers - failed to connect
Hi there,
I have been fighting all day trying to connect to a MongoDB server in the Cloud (MongoDB Atlas) with no success so far.
MongoDB Atlas enforces SSL to connect to their servers and here is the issue as I am getting “failed to connect: ** (Mongo.Error) ssl connect: TLS Alert: handshake failure - {:tls_alert, ‘handshake failure’}”.
I can connect with no issue using the mongo-shell with the “–ssl” option so the connectivity is ok. When I check the logs on the server side I am getting “SSL: error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher”. I checked with openssl and the expected cipher is AES256-GCM-SHA384.
After looking for a solution online I saw that there was a few issue with Elixir and SSL connectivity. I tried to play with ssl_opts using something like :
Mongo.start_link(
database: "admin",
hostname: "cluster-name.mongodb.net:27017",
ssl: true,
ssl_opts: [
ciphers: ["{:aes_256_gcm, :sha384}"], #also tried with ["AES256-GCM-SHA384"]
versions: [:"tlsv1.2"]
]
)
I had no success so far and I am not sure where to dig as I am not familiar with Elixir. Any help would be kindly appreciated.
Cheers,
Norman
Marked As Solved
voltone
To select cipher suites using the ciphers option, you can either use tuple format (no quotes) or an OpenSSL-style name as a charlist (in single quotes). Your code example uses tuple format, but with double quotes. Also, the tuple is incomplete: it does not have a key exchange and RNG entry.
So if the expected cipher suite is in fact AES256-GCM-SHA384, specify either:
ciphers: [{:rsa, :aes_256_gcm, :aead, :sha384}],
or
ciphers: ['AES256-GCM-SHA384'],
Erlang/OTP 21 and later does not enable this cipher suite by default, since it uses RSA key exchange which is considered week. If the server indeed only supports this option, and not the variant with ECDHE or DHE key exchange, then that would explain why you can’t connect, though it would be a weird choice on the server side.
Another thing to note is that Erlang/OTP 20.3 had an issue with AEAD ciphers, so you’d need to upgrade to 21 or to the latest patch level of 20.3 to use this cipher suite.
Also Liked
voltone
BTW, if you’ll forgive the shameless plug, I will be talking about this and more at Code BEAM Lite Amsterdam
Cadamis
Incredible, I’ve also been struggling all day to connect to an AWS Mongo cluster, and this cipher answer was EXACTLY what I needed. Thank you so much voltone!
norman
Hi Voltone,
Thank you so much for your reply that actually solved the problem. I replaced the double quotes by the simple quotes in ciphers: ['AES256-GCM-SHA384'], as you suggested and it just worked !
I find a bit confusing that no parser let you know that the syntax is incorrect when you run the application but good to know for the future.
Thank you again for helping in solving this issue. We can close this case.
Cheers,
Norman
Popular in Questions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance








