Details
-
Task
-
Status: Closed
-
Major - P3
-
Resolution: Fixed
-
None
-
None
-
KANBAN BUCKET
Description
Documentation Request Summary:
This change disabled the use of TLS 1.0 in most circumstances*. Clients attempting to connect to such server instances via SSL may fail due to this change as they do not support TLS 1.1 or later**.
In such (rare) cases, administrators should configure "net.ssl.disabledProtocols = none" in their config YaML file, or specify '--sslDisabledProtocols none' via the command line to re-enable TLS 1.0 support.
- When mongod/mongos are built with older versions of OpenSSL, TLS 1.0 support will NOT be disabled by default since these versions of OpenSSL do not support TLS 1.1 or later. Additionally, we do not auto-disable TLS 1.0 on OSX regardless of the OpenSSL version used (or even if using Native TLS), since other tooling on the system is likely built against an old version of OpenSSL and would not support TLS 1.0).
-
- "Older" vesions of OpenSSL is defined as OpenSSL 1.0.0k or earlier.
Scope of changes:
- Add section to 4.0 release notes/4.0-compatibility
- source/includes/options-mongod.yaml
- source/reference/program/mongod.txt
- source/reference/program/mongos.txt
- tutorial/configure-ssl
- tutorial/upgrade-cluster-to-ssl
- /tutorial/configure-fips.txt
- source/core/security-transport-encryption.txt
- x509 tutorials
- source/administration/security-checklist.txt
- source/core/security-encryption.txt
- source/core/security-internal-authentication.txt
- source/core/security-x.509.txt
- source/tutorial/configure-x509-client-authentication.txt
- source/tutorial/configure-x509-member-authentication.txt
- source/tutorial/upgrade-keyfile-to-x509.txt
Impact to other docs outside of this product:
per meeting, tickets filed separate per product
MVP:
Resources:
Engineering Ticket Description:
TLS 1.0 will be disabled by default on all platforms where MongoDB is linked against OpenSSL 1.0.1 or later.
A new boolean startup server parameter will be added “enableInsecureTLS1_0” to enable TLS 1.0. It is an error to set this parameter if net.ssl.disabledProtocols contains "noTLS1_0".
Attachments
Issue Links
- documents
-
SERVER-32981 Disable TLS 1.0 by default
-
- Closed
-
- is related to
-
DOCS-11559 Docs for SERVER-34237: Expose means for shell to disable TLS 1.0
-
- Closed
-