Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-13767

[Server] Setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled) (SERVER-48774)

XMLWordPrintableJSON

      Description

      Downstream Change Summary

      OpenSSL requires a separate function to set ciphers that are exclusive to TLS v1.3 and beyond; see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

      We added a separate setParameter called opensslCipherSuiteConfig which allows you to set these ciphers with a colon-separated list. The format of this list and available ciphers are described on the OpenSSL documentation linked above. We pass the string provided to the configuration option directly to OpenSSL, so it should conform exactly to their standard.

      Description of Linked Ticket

      In ssl_manager_openssl.cpp, the OpenSSL API SSL_CTX_set_cipher_list() only works for TLSv1.2 and below. 

      If user configures TLSv1.3 only, SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites: "

      The related API for TLSv1.3 is SSL_CTX_set_ciphersuites().

      Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html

       

      Scope of changes

      Impact to Other Docs

      MVP (Work and Date)

      Resources (Scope or Design Docs, Invision, etc.)

            Assignee:
            andrew.feierabend@mongodb.com Andrew Feierabend (Inactive)
            Reporter:
            backlog-server-pm Backlog - Core Eng Program Management Team
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:
              3 years, 6 weeks, 5 days ago