Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-11559

Docs for SERVER-34237: Expose means for shell to disable TLS 1.0

    XMLWordPrintable

    Details

    • Estimate:
      Medium
    • Last comment by Customer:
      true
    • Story Points:
      1.5

      Description

      Description

      This change disables TLS 1.0 encryption when using the shell client if TLS 1.1 or greater is available on the system. This change also adds support for the --sslDisabledProtocols option to the shell client. To make connections using TLS 1.0 using the shell, specify --sslDisabledProtocols 'none'

      Scope of changes (files that need work and how much)

      • Add section to mongo reference page stating that 4.0 shell disables TLS 1.0 encryption if the host system supports TLS1.1 or greater.
      • Add new parameter to mongo reference page --sslDisabledProtocols
        • specify none for enabling TLS 1.0
        • specify comma delimited list of protocols to disable.
      • Add section to 4.0 release notes/4.0-compatibility stating that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+. Point to --sslDisabledProtocols : "none" for re-enabling TLS1.0
      • Add note to the Encryption pages with TLS references that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+, and point to release notes
      • tutorial/configure-ssl-clients
      • backport to 3.6.5
        • just the mongo option and mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)
      • backport to 3.4.15
        • just the mongo option and the mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)

      Optional: Potentially point to the PCI SSC announcement in the release notes for why MongoDB is removing support for TLS 1.0.

      Impact to other docs outside of this product

      • Add a note to the Atlas page for connecting via Shell that the 4.0 shell disables TLS 1.0 if TLS 1.1+ is available on the system. Need to confirm with engineering whether this is something that might cause issues, or is just a 'good to know'. – Will be done per usual via docs needed flag.
      • Other products – also done per usual with docs needed flag.

      MVP (work and date?)

      Resources (e.g. Scope Docs, Invision)

      PCI SSC announcement
      PCI DSS 3.1+ FAQ on earl SSL/TLS removal

      Engineering Ticket Description:

      Compliance requirements, such as PCI DSS v3.1, have mandated removal of TLS 1.0 by June 30th 2018. customers need a way not only to enable newer safe protocols but also to provably disable TLS 1.0. shell does not currently expose a means of disabling TLS protocols

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kay.kim Kay Kim (Inactive)
              Reporter:
              kay.kim Kay Kim (Inactive)
              Participants:
              Last commenter:
              Kay Kim Kay Kim (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since reply:
                3 years, 2 weeks ago
                Date of 1st Reply: