Pymongo Server Selection Timeout Error: SSL handshake failed: on Windows

[tanay patil]

I am trying to connect to a remote mongo db through pymongo and use GSSAPI(Kerberos) ans ssl authentication methods. The code works on unix systems but gives an error on windows systems. The error is Pymongo Server Selection Timeout Error: SSL handshake failed: _ssl:504 EOF while violation of protocol. I have installed winkerberos package but it is of no use. Please help me with this issue.

[Bernie Hackett]

That error message is from Python's SSL module. It's unrelated to Kerberos. What version of Python are you using? Please post the output from this one-liner:

python -c "import sys; print(sys.version)"

[tanay patil]

I'm using python 2.7.3

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.
To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/107a755c-9c68-4c5b-a501-59b794c695fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Bernie Hackett]

Please upgrade to a much newer patch release of Python 2.7. The current release is Python 2.7.15. https://www.python.org/downloads/release/python-2715/ Many changes and fixes have been made in Python's SSL support since 2.7.3.

On Thursday, August 30, 2018 at 8:25:43 AM UTC-7, tanay patil wrote:

I'm using python 2.7.3

[tanay patil]

I tried on python 3.6.3 and the error remains the same. Also, I tried with different versions of pymongo, installed pyopenssl, pykerberos and winkerberos but the error still exists. The code works fine on Unix. The error comes in windows. 

--

You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.

To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/bdab33c2-432d-416c-beb5-3446c8c49913%40googlegroups.com.

[tanay patil]

Can anyone please suggest a solution for this problem? 

[Bernie Hackett]

PyMongo uses Python's ssl module, not pyopenssl, so installing pyopenssl won't help. This error is SSL specific so pykerberos and winkerberos have nothing to do with it. Can you try with Python 3.7 and report back? If you still get a traceback can you post the entire traceback here (not just the error message)?

On Monday, September 3, 2018 at 6:40:32 AM UTC-7, tanay patil wrote:

Can anyone please suggest a solution for this problem? 

On Fri 31 Aug, 2018, 12:25 PM tanay patil,  wrote:

I tried on python 3.6.3 and the error remains the same. Also, I tried with different versions of pymongo, installed pyopenssl, pykerberos and winkerberos but the error still exists. The code works fine on Unix. The error comes in windows. 

[tanay patil]

I tried with python 3.7. Now the error is

pymongo.errors.OperationFailure:SSPI: InitializeSecurityContext: The logon attempt failed. I think that this is related to kerberos. Please help me to authenticate using winkerberos and solve this issue. 

--
You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.

To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/19c28a2d-646e-469e-ae43-a424398f1025%40googlegroups.com.

[tanay patil]

The error is also this - line 393 in _authenticate_gssapi

If kerberos.authGSSClientStep(ctx, vv)! =0:

winkerberos. GSSError:SSPI: InitializeSecurityContext :The logon attempt failed 

[tanay patil]

Line 393 is in site-packages/pymongo /auth.py

[Bernie Hackett]

The new error is definitely Kerberos authentication failing. If the user you are trying to authenticate is the Windows logon user authentication should work without a password. If the user is different from the logon user you have to use a password to authenticate. I realize this seems counter intuitive for Kerberos, but SSPI is not MIT kerberos. Instead of calling kinit with the user principal and password, you pass the user principal and password as part of the MongoDB URI.

https://api.mongodb.com/python/current/examples/authentication.html#windows-sspi

[tanay patil]

I am passing the principal and password in the url. Still the error comes. 

On Thu 6 Sep, 2018, 8:38 PM 'Bernie Hackett' via mongodb-user, <mongod...@googlegroups.com> wrote:

The new error is definitely Kerberos authentication failing. If the user you are trying to authenticate is the Windows logon user authentication should work without a password. If the user is different from the logon user you have to use a password to authenticate. I realize this seems counter intuitive for Kerberos, but SSPI is not MIT kerberos. Instead of calling kinit with the user principal and password, you pass the user principal and password as part of the MongoDB URI.

https://api.mongodb.com/python/current/examples/authentication.html#windows-sspi

--

You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.

To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/c2ac390a-bb69-45dd-b69d-3b1901ea85a1%40googlegroups.com.

[Bernie Hackett]

Make sure you are percent encoding the user principal and password. For example:

from urllib import quote_plus

uri = "mongodb://%s:%s@localhost:27017/?authMechanism=GSSAPI&ssl=true" % (quote_plus(principal), quote_plus(password))

Replace localhost with your hostname and 27017 with your port number.

[tanay patil]

Hey, it worked. Thank you so much for the help. 

--

You received this message because you are subscribed to the Google Groups "mongodb-user"
group.
 
For other MongoDB technical support options, see: https://docs.mongodb.com/manual/support/
---
You received this message because you are subscribed to the Google Groups "mongodb-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mongodb-user...@googlegroups.com.
To post to this group, send email to mongod...@googlegroups.com.
Visit this group at https://groups.google.com/group/mongodb-user.

To view this discussion on the web visit https://groups.google.com/d/msgid/mongodb-user/41613865-371c-4d2e-a4f1-3a913cd225f9%40googlegroups.com.