Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11541

Docs for SERVER-32981: Disable TLS 1.0 by default

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.7.4
    • Component/s: None
    • Labels:
    • # Replies:
      6
    • Last comment by Customer:
      true
    • Sprint:
      KANBAN BUCKET

      Description

      Documentation Request Summary:

      This change disabled the use of TLS 1.0 in most circumstances*. Clients attempting to connect to such server instances via SSL may fail due to this change as they do not support TLS 1.1 or later**.

      In such (rare) cases, administrators should configure "net.ssl.disabledProtocols = none" in their config YaML file, or specify '--sslDisabledProtocols none' via the command line to re-enable TLS 1.0 support.

      • When mongod/mongos are built with older versions of OpenSSL, TLS 1.0 support will NOT be disabled by default since these versions of OpenSSL do not support TLS 1.1 or later. Additionally, we do not auto-disable TLS 1.0 on OSX regardless of the OpenSSL version used (or even if using Native TLS), since other tooling on the system is likely built against an old version of OpenSSL and would not support TLS 1.0).
        • "Older" vesions of OpenSSL is defined as OpenSSL 1.0.0k or earlier.

      Scope of changes:

      • Add section to 4.0 release notes/4.0-compatibility
      • source/includes/options-mongod.yaml
      • source/reference/program/mongod.txt
      • source/reference/program/mongos.txt
      • tutorial/configure-ssl
      • tutorial/upgrade-cluster-to-ssl
      • /tutorial/configure-fips.txt
      • source/core/security-transport-encryption.txt
      • x509 tutorials
        • source/administration/security-checklist.txt
        • source/core/security-encryption.txt
        • source/core/security-internal-authentication.txt
        • source/core/security-x.509.txt
        • source/tutorial/configure-x509-client-authentication.txt
        • source/tutorial/configure-x509-member-authentication.txt
        • source/tutorial/upgrade-keyfile-to-x509.txt

      Impact to other docs outside of this product:

      per meeting, tickets filed separate per product

      MVP:

      Resources:

      Engineering Ticket Description:

      TLS 1.0 will be disabled by default on all platforms where MongoDB is linked against OpenSSL 1.0.1 or later.

      A new boolean startup server parameter will be added “enableInsecureTLS1_0” to enable TLS 1.0. It is an error to set this parameter if net.ssl.disabledProtocols contains "noTLS1_0".

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since reply:
                  1 year, 22 weeks, 4 days ago
                  Date of 1st Reply: