Client_encryption.create_data_key kmip 'sslv3 alert bad certificate'

gregcox · January 18, 2022, 12:19pm

Hi,

I am trying to utilise the client_encryption.create_data_key functionality via kmip but cannot get past the following error:

pymongo.errors.EncryptionError: [(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert bad certificate’)]

python 3.7.10
pymongo: 4.0.1

Code:

import os
import base64
from pathlib import Path
from secrets import token_bytes
from bson import json_util
from bson.binary import STANDARD
from bson.codec_options import CodecOptions
from pymongo import MongoClient
from pymongo.encryption import ClientEncryption
from pymongo.encryption_options import AutoEncryptionOpts

kms_providers = {"kmip": {"endpoint": "x.x.x.x:5696"}}

ktoptions={'kmip':{'tls':True,'tlsCAFile':'/etc/pki/ca-trust/source/anchors/ca.pem','tlsCertificateKeyFile':'/etc/pki/ca-trust/source/anchors/client.pem'}}

csfle_opts = AutoEncryptionOpts(
        kms_providers=kms_providers, key_vault_namespace="csfle_demo2.__keystore", kms_tls_options=ktoptions
)

replicaSet=myRS"
os.environ["MDB_URL"] = "mongodb+srv://x:x@xxx.mongodb.net"
with MongoClient(os.environ["MDB_URL"], auto_encryption_opts=csfle_opts) as client:
    print("Resetting demo database & keystore ...")
    client.drop_database("csfle_demo")

    client_encryption = ClientEncryption(
        kms_providers,
        "csfle_demo2.__keystore",
        client,
        CodecOptions(uuid_representation=STANDARD),
    )

    print("Creating key in MongoDB ...")
    key_id = client_encryption.create_data_key("kmip", master_key={"keyId":'gregTest'},key_alt_names=["example"])

    print(key_id)

I have confirmed the validity of my certs via:
openssl s_client -connect x.x.x.x:5696 -CAfile /etc/pki/ca-trust/source/anchors/ca.pem -cert /etc/pki/ca-trust/source/anchors/client.pem which results with no errors

Any help would be much appreciated

Cheers
Greg

tiran · January 18, 2022, 1:29pm

The error message [(‘SSL routines’, ‘ssl3_read_bytes’, ‘sslv3 alert bad certificate’)] suggests that pymongo uses PyOpenSSL. PyOpenSSL depends on PyCA cryptography, which does not use the OS’ OpenSSL libraries. It uses a static build of latest OpenSSL. More recent OpenSSL versions have more strict requirements.

gregcox · January 18, 2022, 2:04pm

Thanks @tiran . Trying without PyOpenSSL (I think):

pymongo.errors.AutoReconnect: SSL handshake failed: X.X.X.X:5696: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1091)

I see kms_tls_options was only added in version 4.0. Its as if the client cert isn’t even being passed.

gregcox · January 18, 2022, 3:21pm

I was being stupid … it wasn’t being passed because i added it in the wrong place:

    client_encryption = ClientEncryption(
        kms_providers,
        "csfle_demo.__keystore",
        client,
        CodecOptions(uuid_representation=STANDARD),
        kt_options
    )

Works now

Topic		Replies	Views
Resolving SSL Certificate Issues in MongoDB Connection Python Help documentation , help	0	181	March 26, 2024
SSL: CERTIFICATE_VERIFY_FAILED certificate verify failed: IP address mismatch, certificate is not valid for 'XXX.XXX.X.XX'. (_ssl.c:997) Python Help help	4	8334	June 25, 2023
SSL certificate debugging Ideas	3	2377	October 11, 2022
Unable to decode SSL msg_callback certificate data Python Help	1	380	July 14, 2023
SSL: CERTIFICATE_VERIFY_FAILED ( Windows ) Python Help	5	7818	November 20, 2023

Client_encryption.create_data_key kmip 'sslv3 alert bad certificate'

Related Topics