Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 3.7.4, 3.4.15, 4.0.0-rc0, 3.6.5
Affects Version/s: None
Component/s: manual, Server
Labels:
None

Epic Link:
DOCS: 4.0 Server
Story Points:
1.5

Description

This change disables TLS 1.0 encryption when using the shell client if TLS 1.1 or greater is available on the system. This change also adds support for the --sslDisabledProtocols option to the shell client. To make connections using TLS 1.0 using the shell, specify --sslDisabledProtocols 'none'

Scope of changes (files that need work and how much)

Add section to mongo reference page stating that 4.0 shell disables TLS 1.0 encryption if the host system supports TLS1.1 or greater.
Add new parameter to mongo reference page --sslDisabledProtocols
- specify none for enabling TLS 1.0
- specify comma delimited list of protocols to disable.

Add section to 4.0 release notes/4.0-compatibility stating that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+. Point to --sslDisabledProtocols : "none" for re-enabling TLS1.0
Add note to the Encryption pages with TLS references that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+, and point to release notes
tutorial/configure-ssl-clients

backport to 3.6.5
- just the mongo option and mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)

backport to 3.4.15
- just the mongo option and the mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)

Optional: Potentially point to the PCI SSC announcement in the release notes for why MongoDB is removing support for TLS 1.0.

Impact to other docs outside of this product

Add a note to the Atlas page for connecting via Shell that the 4.0 shell disables TLS 1.0 if TLS 1.1+ is available on the system. Need to confirm with engineering whether this is something that might cause issues, or is just a 'good to know'. – Will be done per usual via docs needed flag.
Other products – also done per usual with docs needed flag.

MVP (work and date?)

Resources (e.g. Scope Docs, Invision)

PCI SSC announcement
PCI DSS 3.1+ FAQ on earl SSL/TLS removal

Engineering Ticket Description:

Compliance requirements, such as PCI DSS v3.1, have mandated removal of TLS 1.0 by June 30th 2018. customers need a way not only to enable newer safe protocols but also to provably disable TLS 1.0. shell does not currently expose a means of disabling TLS protocols

documents

SERVER-34237 Expose means for shell to disable TLS 1.0

Closed

related to

DOCS-11541 Docs for SERVER-32981: Disable TLS 1.0 by default

Closed

Assignee:: Kay Kim (Inactive)

Reporter:: Kay Kim (Inactive)

Participants:: Githook User, Kay Kim

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Created:: Apr 09 2018 03:31:58 PM UTC

Updated:: Oct 29 2023 01:58:04 PM UTC

Resolved:: Jun 10 2018 02:06:25 AM UTC

Days since reply:: 6 years, 7 weeks, 5 days ago

Details

Description

Description

Scope of changes (files that need work and how much)

Impact to other docs outside of this product

MVP (work and date?)

Resources (e.g. Scope Docs, Invision)

Engineering Ticket Description:

Attachments

Issue Links

Activity

People

Dates