Description
This change disables TLS 1.0 encryption when using the shell client if TLS 1.1 or greater is available on the system. This change also adds support for the --sslDisabledProtocols option to the shell client. To make connections using TLS 1.0 using the shell, specify --sslDisabledProtocols 'none'
Scope of changes (files that need work and how much)
- Add section to mongo reference page stating that 4.0 shell disables TLS 1.0 encryption if the host system supports TLS1.1 or greater.
- Add new parameter to mongo reference page --sslDisabledProtocols
- specify none for enabling TLS 1.0
- specify comma delimited list of protocols to disable.
- Add section to 4.0 release notes/4.0-compatibility stating that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+. Point to --sslDisabledProtocols : "none" for re-enabling TLS1.0
- Add note to the Encryption pages with TLS references that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+, and point to release notes
- tutorial/configure-ssl-clients
- backport to 3.6.5
- just the mongo option and mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)
- backport to 3.4.15
- just the mongo option and the mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)
Optional: Potentially point to the PCI SSC announcement in the release notes for why MongoDB is removing support for TLS 1.0.
Impact to other docs outside of this product
- Add a note to the Atlas page for connecting via Shell that the 4.0 shell disables TLS 1.0 if TLS 1.1+ is available on the system. Need to confirm with engineering whether this is something that might cause issues, or is just a 'good to know'. – Will be done per usual via docs needed flag.
- Other products – also done per usual with docs needed flag.
MVP (work and date?)
Resources (e.g. Scope Docs, Invision)
PCI SSC announcement
PCI DSS 3.1+ FAQ on earl SSL/TLS removal
Engineering Ticket Description:
Compliance requirements, such as PCI DSS v3.1, have mandated removal of TLS 1.0 by June 30th 2018. customers need a way not only to enable newer safe protocols but also to provably disable TLS 1.0. shell does not currently expose a means of disabling TLS protocols
- documents
-
SERVER-34237 Expose means for shell to disable TLS 1.0
- Closed
- related to
-
DOCS-11541 Docs for SERVER-32981: Disable TLS 1.0 by default
- Closed