Desktop app not longer working after server updated to 3.0

[guirto]

Hi.

I don't know if this is an issue, but after my mongodb hosting server, MongoLab, updated to 3.0 ObjCMongoDB is not working anymore.

If I perform a search using some query that I know it will give results nothing is found, and this is the error I got when I try to insert something in the db.

{
    lastOp = <BSONTimestamp: 0x600000001c40>;
    connectionId = 23684;
    err = not authorized for insert on empleo.historico_sectores;
    code = 13;
    n = 0;
    ok = 1;
}

Any help? Thanks a lot in advance.

Víctor.

[guirto]

I think that it has something to do with new authentication scheme, SCRAM-SHA-1.

[paulmelnikow]

I researched a similar issue for a client last year. They gave me permission to publish this report.

Mongod 3.0 is only compatible with certain versions of each driver. For the C driver it's 1.1.0+ – versions below that will stop working when you update to 3.x.

The latest release of ObjCMongoDB is using the latest released version of the "legacy C driver" which is 0.8.1.

The 1.x API, and build system, are completely different from 0.x, so it’s not exactly a drop-in upgrade. I’ve been working off and on with a version of ObjCMongoDB that uses the new driver. Are you using CocoaPods? Along the way I did publish a working podspec for libmongoc. No Swift support yet, but it works in Objective-C.

While researching this, I provisioned myself a Mongolab database. If works fine using the mongo console client, but when I tried my latest code, no dice.

Digging a little further, it seems the breaking change in 3.x that requires a driver update is a new, more secure authentication scheme called SCRAM-SHA-1, which replaced MONGODB-CR used in 2.x.

Then I tracked down this gem in the API docs:

In MongoDB 3.0 and later the default authentication mechanism is SCRAM-SHA-1. The MongoDB C Driver must be built with OpenSSL to use SCRAM-SHA-1 authentication, since the driver uses hash algorithms from the OpenSSL library to implement SCRAM-SHA-1, even if it connects to MongoDB over a non-SSL connection.

(Link has since rotted – see this commit for the original text. Here's the Jira ticket.)

So, that's is a big problem. As you probably know, OpenSSL is deprecated on Mac OS, and is not available at all on iOS. That's in favor of Secure Transport, Apple's native TLS stack. It’s why I deliberately excluded SSL in the mongo-c-driver pod I published.

Eventually Mongo will get around to implementing native TLS on Mac. It’s been on their roadmap for a long time and there's even a half-implemented pull request, though I was told recently not to expect this until version 1.4 of the C driver, slated for early 2016.

All that is to say – rather conclusively – that there is not an easy path to getting an iOS app to authenticate against a MongoDB 3.x database.

Frankly I wish things were further along. But until the C driver supports Secure Transport (i.e. iOS native TLS) any work I could do is of limited use. I didn't realize it was quite this bad… I mean, even if I were to publish a new version of ObjCMongoDB that uses the latest C driver, it wouldn’t be able to authenticate to a 3.x server.

A few people have published versions of OpenSSL for iOS but I don't know if they are widely used, and they definitely don't get OS-level security updates. Probably you could try to build one of these, and build your own C driver against it.

That said, you may be better off using a MongoDB 2.x server.

Though even then, keep in mind that the Mongo wire protocol is not encrypted, so if you’re accessing a server on the Internet it’s insecure. If the data is sensitive at all, likely you would want to use TLS, which would still mean compiling and shipping a copy of OpenSSL with your app.

Sorry the news isn't better! (And sorry @guirto for the long delay!)

[bjori]

I should note that we've merged Secure Transport support for mongoc to master, which will become 1.4.0 as mentioned above. That implementation includes using Common Crypto from SCRAM-SHA-1, which therefore removes the need for OpenSSL/libcrypto using the default authentication mechanisms in MongoDB 3.0+ .

[paulmelnikow]

That is great news! Really glad to hear it.

Maybe I can revive that libmongoc branch.