Info

Problem Statement/Rationale There is a confusion between TLS vs SSL options for secure connection. According to the documentation, while using SSL options is considered deprecated, both ways are exactly identical in terms of functionality. However, the client does not handle both equally, which may be very confusing to those who think TLS may be more secure. Steps to Reproduce Note the difference below, between using:{} {}?tls=false&ssl=true vs ?tls=true&ssl=false $ mongo --host="mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=false&ssl=true" MongoDB shell version v5.0.8 connecting to: mongodb://covid-19-shard-00-02.hip2i.mongodb.net:27017,covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017/covid19?authSource=admin&compressors=disabled&gssapiServiceName=mongodb&replicaSet=covid-19-shard-0&ssl=true&tls=false Implicit session: session { "id" : UUID("77a4ef8a-53e3-414f-87b2-385b9bd283bf") } MongoDB server version: 4.4.14 WARNING: shell and server versions do not match ================ Warning: the "mongo" shell has been superseded by "mongosh", which delivers improved usability and compatibility.The "mongo" shell has been deprecated and will be removed in an upcoming release. For installation instructions, see https://docs.mongodb.com/mongodb-shell/install/ ================ MongoDB Enterprise covid-19-shard-0:PRIMARY> vs $ mongo --host="mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false" MongoDB shell version v5.0.8 connecting to: mongodb://covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017,covid-19-shard-00-02.hip2i.mongodb.net:27017/covid19?authSource=admin&compressors=disabled&gssapiServiceName=mongodb&replicaSet=covid-19-shard-0&ssl=false&tls=true {"t":{"$date":"2022-05-21T12:47:47.450Z"},"s":"I", "c":"NETWORK", "id":4333208, "ctx":"ReplicaSetMonitor-TaskExecutor","msg":"RSM host selection timeout","attr":{"replicaSet":"covid-19-shard-0","error":"FailedToSatisfyReadPreference: Could not find host matching read preference { mode: \"nearest\" } for set covid-19-shard-0"}} *** You have failed to connect to a MongoDB Atlas cluster. Please ensure that your IP allowlist allows connections from your network. Error: Could not find host matching read preference { mode: "nearest" } for set covid-19-shard-0, covid-19-shard-0/covid-19-shard-00-01.hip2i.mongodb.net:27017,covid-19-shard-00-00.hip2i.mongodb.net:27017,covid-19-shard-00-02.hip2i.mongodb.net:27017 : connect@src/mongo/shell/mongo.js:372:17 @(connect):2:6 exception: connect failed exiting with code 1 Expected Results A similar test with mongosh gives consistent results: $ mongosh "mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false" Current Mongosh Log ID: 6288e053ca539b523e7e77fd Connecting to: mongodb+srv://<credentials>@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=false&appName=mongosh+1.4.2 MongoParseError: All values of tls/ssl must be the same. $ mongosh "mongodb+srv://readonly:readonly@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=true" Current Mongosh Log ID: 6288e05c90bfa6516e2dea9e Connecting to: mongodb+srv://<credentials>@covid-19.hip2i.mongodb.net/covid19?tls=true&ssl=true&appName=mongosh+1.4.2 Using MongoDB: 4.4.14 Using Mongosh: 1.4.2 Actual Results When this is used: tls=true&ssl=false, mongo client doesn't connect to a server that requires TLS/SSL, but with tls=false&ssl=true, it works, and actually TLS IS used for the connection.

Top User Comments

JIRAUSER1265262 commented on Tue, 2 Aug 2022 14:03:17 +0000: Przemek, Given that the legacy mongo shell is deprecated, I don't expect this one to be on the radar to be fixed. The net.tls settings provide identical functionality as the net.ssl options since MongoDB has always supported TLS 1.0 and later, so this sounds redundant. Thanks for your report, and your attention to detail in describing this issue! Regards, Christopher przemek.malkowski@gmail.com commented on Fri, 15 Jul 2022 10:14:28 +0000: Hi Chris, Sorry for late response. Please notice that I used your public MongoDB servers in my example, connection string points to instance in *mongodb.net network. So, you should be able to check the mongod config from there As seen in the example, your MongoDB Atlas cluster requires SSL/TLS to connect. Now, mongo client should probably not accept ?tls=true&ssl=false params, as they contradict, right? See the mongosh client message for consideration: MongoParseError: All values of tls/ssl must be the same. JIRAUSER1265262 commented on Tue, 31 May 2022 18:33:59 +0000: Hi Przemek, Just for some more context, would be helpful to get the following information: Your mongod config for the node you are connecting to How you know it's actually using TLS? (I'm interested to see your config file for more information) I was able to reproduce this issue on 5.0.7 using the latest mongosh - I was able to connect to a standalone mongod using tls=false, ssl=true with TLS configured and set to preferTLS.

Steps to Reproduce