-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Labels:None
Description
OpenSSL requires a separate function to set ciphers that are exclusive to TLS v1.3 and beyond; see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
We added a separate setParameter called opensslCipherSuiteConfig which allows you to set these ciphers with a colon-separated list. The format of this list and available ciphers are described on the OpenSSL documentation linked above. We pass the string provided to the configuration option directly to OpenSSL, so it should conform exactly to their standard.
Description of Linked Ticket
In ssl_manager_openssl.cpp, the OpenSSL API SSL_CTX_set_cipher_list() only works for TLSv1.2 and below.
If user configures TLSv1.3 only, SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites: "
The related API for TLSv1.3 is SSL_CTX_set_ciphersuites().
Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
Scope of changes
Impact to Other Docs
MVP (Work and Date)
Resources (Scope or Design Docs, Invision, etc.)
- documents
-
SERVER-48774 setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled)
- Closed