This change disabled the use of TLS 1.0 in most circumstances*. Clients attempting to connect to such server instances via SSL may fail due to this change as they do not support TLS 1.1 or later**.
In such (rare) cases, administrators should configure "net.ssl.disabledProtocols = none" in their config YaML file, or specify '--sslDisabledProtocols none' via the command line to re-enable TLS 1.0 support.
- When mongod/mongos are built with older versions of OpenSSL, TLS 1.0 support will NOT be disabled by default since these versions of OpenSSL do not support TLS 1.1 or later. Additionally, we do not auto-disable TLS 1.0 on OSX regardless of the OpenSSL version used (or even if using Native TLS), since other tooling on the system is likely built against an old version of OpenSSL and would not support TLS 1.0).
- "Older" vesions of OpenSSL is defined as OpenSSL 1.0.0k or earlier.
- Add section to 4.0 release notes/4.0-compatibility
- x509 tutorials
per meeting, tickets filed separate per product
TLS 1.0 will be disabled by default on all platforms where MongoDB is linked against OpenSSL 1.0.1 or later.
A new boolean startup server parameter will be added “enableInsecureTLS1_0” to enable TLS 1.0. It is an error to set this parameter if net.ssl.disabledProtocols contains "noTLS1_0".