ssl: false ignored for mongo+srv

[marinakr]

Hi 👋

I'm encountering a TLS-related issue when using mongodb+srv:// URIs in combination with ssl=false / tls=false to disable TLS. While the first MongoDB connection works, connections in the pool fail with:

ssl connect: Invalid TLS option: {cacerts,nil} - {:options, {:cacerts, nil}}

🔍 What’s happening
I'm using this connection URL from the environment:

export DB_URL_STATS="mongodb+srv://user:pass@mongodb.addr/dbname?...&ssl=false&tls=false"

My code to initialize MongoDB (via a GenServer on app startup):

Mongo.start_link(
  url: mongo_srv_url,
  name: :stats_mongo,
  pool_size: 5,
  timeout: 60_000,
  checkout_timeout: 60_000,
  pool_timeout: 5_000,
  ssl: false,
  tls: false,
  ssl_opts: [verify: :verify_none, cacerts: nil]
)

❌ What doesn't work
In app startup, I get this in logs:

Successfully connected to MongoDB with connection pool
ssl connect: Invalid TLS option: {cacerts,nil} - {:options, {:cacerts, nil}}

So looks like first connection was done successfully (Successfully connected to MongoDB with connection pool) and later it crashes for rest?

When I don't pass ssl_opts it fails with:

15:32:13.421 [error] Mongo.MongoDBConnection (#PID<0.1197.0>) failed to connect: ** (Mongo.Error) ....svc.cluster.local:27017 ssl connect: Options (or their values) can not be combined: [{verify,verify_peer},
                                                {cacerts,undefined}] - {:options, :incompatible, [verify: :verify_peer, cacerts: :undefined]}

This repeats for each pooled connection after the first.

✅ Expected behavior
If ssl=false or tls=false is passed via connection string or options, no TLS should be attempted

At minimum, {cacerts, nil} should not be passed to :ssl.connect/3

[zookzook]

Thank you for your detailed description. I will take care of it.

[zookzook]

After exploring the specification about the mongodb+srv option the answer is clear: by using the srv option the driver implicity enables TLS.

Although using mongodb+srv:// implicitly enables TLS, a Client MUST NOT allow the ssl option to be set through a TXT record option.

https://github.com/mongodb/specifications/blob/5b15fd307b7ec06dbafc57e3c252f7ae3b8c4e46/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md

[zookzook]

Do you think this answer answers your question or explains your issue? Try to omit the :cacerts option.

[marinakr]

@zookzook It does not work neither with nil :cacerts, no without :cacerts at all

[zookzook]

The ssl connection is handled by Erlang. Which Erlang version do you use?

[zookzook]

I have created a MongoDB instance on Atlas. Since the srv option forces the driver to enable TLS, I have no issue to connect to it:

iex [20:57 :: 1] > url = "mongodb+srv://xxx:xxx@cluster0.272727dm4y.mongodb.net/dogs?retryWrites=true&w=majority&appName=Cluster0"
"mongodb+srv://xxx:xxx@cluster0.272727dm4y.mongodb.net/dogs?retryWrites=true&w=majority&appName=Cluster0"
iex [20:57 :: 2] > Mongo.start_link(url: url, name: :stats_mongo, pool_size: 5, timeout: 60_000, checkout_timeout: 60_000, pool_timeout: 5_000, ssl: false, ssl_opts: [verify: :verify_none])
{:ok, #PID<0.203.0>}
iex [20:57 :: 3] > Mongo.show_collections(:stats_mongo) |> Enum.to_list()
20:57:33.989 [info] CMD listCollections "1" [] db=10.8ms (module=Mongo function=do_log/5 line=1952 )

["dogs"]

Keep in mind: by using the srv option, the driver will use TLS even if you set ssl=false. If you want to verify the peer, you can use the ssl configuration:

Mongo.start_link(url: url, name: :stats_mongo, pool_size: 5, timeout: 60_000, checkout_timeout: 60_000, pool_timeout: 5_000, ssl_opts: [verify: :verify_peer, cacerts: :public_key.cacerts_get(), customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]])

The ssl part is handled by Erlang and the driver just passes all options to the ssl module.