Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11541

Docs for SERVER-32981: Disable TLS 1.0 by default

    XMLWordPrintableJSON

Details

    • Task
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 3.7.4
    • None

    Description

      Documentation Request Summary:

      This change disabled the use of TLS 1.0 in most circumstances*. Clients attempting to connect to such server instances via SSL may fail due to this change as they do not support TLS 1.1 or later**.

      In such (rare) cases, administrators should configure "net.ssl.disabledProtocols = none" in their config YaML file, or specify '--sslDisabledProtocols none' via the command line to re-enable TLS 1.0 support.

      • When mongod/mongos are built with older versions of OpenSSL, TLS 1.0 support will NOT be disabled by default since these versions of OpenSSL do not support TLS 1.1 or later. Additionally, we do not auto-disable TLS 1.0 on OSX regardless of the OpenSSL version used (or even if using Native TLS), since other tooling on the system is likely built against an old version of OpenSSL and would not support TLS 1.0).
        • "Older" vesions of OpenSSL is defined as OpenSSL 1.0.0k or earlier.

      Scope of changes:

      • Add section to 4.0 release notes/4.0-compatibility
      • source/includes/options-mongod.yaml
      • source/reference/program/mongod.txt
      • source/reference/program/mongos.txt
      • tutorial/configure-ssl
      • tutorial/upgrade-cluster-to-ssl
      • /tutorial/configure-fips.txt
      • source/core/security-transport-encryption.txt
      • x509 tutorials
        • source/administration/security-checklist.txt
        • source/core/security-encryption.txt
        • source/core/security-internal-authentication.txt
        • source/core/security-x.509.txt
        • source/tutorial/configure-x509-client-authentication.txt
        • source/tutorial/configure-x509-member-authentication.txt
        • source/tutorial/upgrade-keyfile-to-x509.txt

      Impact to other docs outside of this product:

      per meeting, tickets filed separate per product

      MVP:

      Resources:

      Engineering Ticket Description:

      TLS 1.0 will be disabled by default on all platforms where MongoDB is linked against OpenSSL 1.0.1 or later.

      A new boolean startup server parameter will be added “enableInsecureTLS1_0” to enable TLS 1.0. It is an error to set this parameter if net.ssl.disabledProtocols contains "noTLS1_0".

      Attachments

        Issue Links

          documents

          Task - A task that needs to be done. SERVER-32981 Disable TLS 1.0 by default

          • Major - P3 - Major loss of function.
          • Closed
          is related to

          Task - A task that needs to be done. DOCS-11559 Docs for SERVER-34237: Expose means for shell to disable TLS 1.0

          • Major - P3 - Major loss of function.
          • Closed

          Activity

            People

              kay.kim@mongodb.com Kay Kim (Inactive)
              kay.kim@mongodb.com Kay Kim (Inactive)
              Jess Mokrzecki Jess Mokrzecki
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                5 years, 1 day ago