MongoServerSelectionError: C8320000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled::

Narpat_Shekhawat · January 17, 2024, 3:37pm

MongoServerSelectionError: C8320000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:c:\ws\deps\openssl\openssl\ssl\statem\extensions.c:922:

I am running migration script azureCosmos db to mongo db and it is working fine with node16 but getting error node18+ versions.

Trying with private company network

Question: Can we fix it from node side or will it be check on firewall side for ssl or else ?

Solution code will help me alot:
Connection string URL like this

“source”: {
“connectionString”: “mongodb://.mongo.cosmos.azure.com:10255/?ssl=true&replicaSet=globaldb&retrywrites=false&maxIdleTimeMS=120000&appName=07@”
},
“target”: {
“connectionString”: “mongodb+srv://studio-admin?retryWrites=true&w=majority”,
“options”: {
“tlsAllowInvalidCertificates”: false
}
},

Note : High Priority Please suggest asap.

alexbevi · January 17, 2024, 6:24pm

@Narpat_Shekhawat the source of this error is Node.js 18 disabling unsafe legacy TLS renegotiation - likely to mitigate CVE-2009-3555.

node.js - Allow Legacy Renegotiation for NodeJs - Stack Overflow has some additional details that may be useful however it appears you can work around this by using a custom global configuration when executing the node process.

Note that this appears to be an issue with connecting to a CosmosDB cluster which we don’t support directly, but it does appear a workaround is possible.

Narpat_Shekhawat · January 18, 2024, 6:28am

@alexbevi I go thorugh those links but not understand how to fix it in code side or do we need to ask network team to change ssl version.

Could you please provide some steps using thode i can able to fix it ?

Cosmos db connection is working fine issue to connect with mongodb+srv at my end

alexbevi · January 18, 2024, 11:20am

If you’re running a migration script and it works correctly with Node 16, why not just use Node 16 to complete the migration?

The Stack Overflow response shows you how you can configure the Node process with custom SSL configuration (such as node --openssl-config=/openssl.cnf) which you can use to run Node 18 with UnsafeLegacyRenegotiation enabled.

This is not a code-level change, but changing the configuration of the Node runtime that’s executing your migration script. Honestly if this is a one-off activity and Node 16 works … just use that.

alexbevi · February 5, 2024, 1:27pm

Just want to share this here for anyone that happens to find this thread as a result of getting the same error from the Node.js driver.

I’ve written about this issue in more detail at Node.js Driver failing to connect due to unsafe legacy renegotiation disabled | ALEX BEVILACQUA, but the following configuration passed to the MongoClient on instantiation should address the issue:

import { MongoClient } from 'mongodb';
import { * as crypto } from 'crypto';
 
const client = new MongoClient("mongodb+srv://...", {
  secureContext: {
    secureOptions: crypto.constants.SSL_OP_LEGACY_SERVER_CONNECT
  }
});