Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11541

Docs for SERVER-32981: Disable TLS 1.0 by default

XMLWordPrintableJSON

    • Type: Icon: Task Task
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.7.4
    • Affects Version/s: None
    • Component/s: None
    • Labels:

      Documentation Request Summary:

      This change disabled the use of TLS 1.0 in most circumstances*. Clients attempting to connect to such server instances via SSL may fail due to this change as they do not support TLS 1.1 or later**.

      In such (rare) cases, administrators should configure "net.ssl.disabledProtocols = none" in their config YaML file, or specify '--sslDisabledProtocols none' via the command line to re-enable TLS 1.0 support.

      • When mongod/mongos are built with older versions of OpenSSL, TLS 1.0 support will NOT be disabled by default since these versions of OpenSSL do not support TLS 1.1 or later. Additionally, we do not auto-disable TLS 1.0 on OSX regardless of the OpenSSL version used (or even if using Native TLS), since other tooling on the system is likely built against an old version of OpenSSL and would not support TLS 1.0).
        • "Older" vesions of OpenSSL is defined as OpenSSL 1.0.0k or earlier.

      Scope of changes:

      • Add section to 4.0 release notes/4.0-compatibility
      • source/includes/options-mongod.yaml
      • source/reference/program/mongod.txt
      • source/reference/program/mongos.txt
      • tutorial/configure-ssl
      • tutorial/upgrade-cluster-to-ssl
      • /tutorial/configure-fips.txt
      • source/core/security-transport-encryption.txt
      • x509 tutorials
        • source/administration/security-checklist.txt
        • source/core/security-encryption.txt
        • source/core/security-internal-authentication.txt
        • source/core/security-x.509.txt
        • source/tutorial/configure-x509-client-authentication.txt
        • source/tutorial/configure-x509-member-authentication.txt
        • source/tutorial/upgrade-keyfile-to-x509.txt

      Impact to other docs outside of this product:

      per meeting, tickets filed separate per product

      MVP:

      Resources:

      Engineering Ticket Description:

      TLS 1.0 will be disabled by default on all platforms where MongoDB is linked against OpenSSL 1.0.1 or later.

      A new boolean startup server parameter will be added “enableInsecureTLS1_0” to enable TLS 1.0. It is an error to set this parameter if net.ssl.disabledProtocols contains "noTLS1_0".

            Assignee:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Reporter:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved:
              5 years, 45 weeks, 3 days ago