Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-13767

[Server] Setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled) (SERVER-48774)

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.7.0
    • Component/s: manual, Server
    • Labels:
      None
    • Last comment by Customer:
      true
    • Story Points:
      2
    • Sprint:
      ServerDocs2020: Mar2 - Mar9, ServerDocs2020: Mar9 - Mar16

      Description

      Description

      Downstream Change Summary

      OpenSSL requires a separate function to set ciphers that are exclusive to TLS v1.3 and beyond; see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

      We added a separate setParameter called opensslCipherSuiteConfig which allows you to set these ciphers with a colon-separated list. The format of this list and available ciphers are described on the OpenSSL documentation linked above. We pass the string provided to the configuration option directly to OpenSSL, so it should conform exactly to their standard.

      Description of Linked Ticket

      In ssl_manager_openssl.cpp, the OpenSSL API SSL_CTX_set_cipher_list() only works for TLSv1.2 and below. 

      If user configures TLSv1.3 only, SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites: "

      The related API for TLSv1.3 is SSL_CTX_set_ciphersuites().

      Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html

       

      Scope of changes

      Impact to Other Docs

      MVP (Work and Date)

      Resources (Scope or Design Docs, Invision, etc.)

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              andrew.feierabend Andrew Feierabend (Inactive)
              Reporter:
              backlog-server-pm Backlog - Core Eng Program Management Team
              Participants:
              Last commenter:
              Andrew Feierabend Andrew Feierabend (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved:
                Days since reply:
                32 weeks, 1 day ago
                Date of 1st Reply: