Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11559

Docs for SERVER-34237: Expose means for shell to disable TLS 1.0

      Description

      This change disables TLS 1.0 encryption when using the shell client if TLS 1.1 or greater is available on the system. This change also adds support for the --sslDisabledProtocols option to the shell client. To make connections using TLS 1.0 using the shell, specify --sslDisabledProtocols 'none'

      Scope of changes (files that need work and how much)

      • Add section to mongo reference page stating that 4.0 shell disables TLS 1.0 encryption if the host system supports TLS1.1 or greater.
      • Add new parameter to mongo reference page --sslDisabledProtocols
        • specify none for enabling TLS 1.0
        • specify comma delimited list of protocols to disable.
      • Add section to 4.0 release notes/4.0-compatibility stating that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+. Point to --sslDisabledProtocols : "none" for re-enabling TLS1.0
      • Add note to the Encryption pages with TLS references that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+, and point to release notes
      • tutorial/configure-ssl-clients
      • backport to 3.6.5
        • just the mongo option and mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)
      • backport to 3.4.15
        • just the mongo option and the mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)

      Optional: Potentially point to the PCI SSC announcement in the release notes for why MongoDB is removing support for TLS 1.0.

      Impact to other docs outside of this product

      • Add a note to the Atlas page for connecting via Shell that the 4.0 shell disables TLS 1.0 if TLS 1.1+ is available on the system. Need to confirm with engineering whether this is something that might cause issues, or is just a 'good to know'. – Will be done per usual via docs needed flag.
      • Other products – also done per usual with docs needed flag.

      MVP (work and date?)

      Resources (e.g. Scope Docs, Invision)

      PCI SSC announcement
      PCI DSS 3.1+ FAQ on earl SSL/TLS removal

      Engineering Ticket Description:

      Compliance requirements, such as PCI DSS v3.1, have mandated removal of TLS 1.0 by June 30th 2018. customers need a way not only to enable newer safe protocols but also to provably disable TLS 1.0. shell does not currently expose a means of disabling TLS protocols

            Assignee:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Reporter:
            kay.kim@mongodb.com Kay Kim (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:
              6 years, 1 week, 6 days ago