Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-101928

Correctly return protocol_version alert when TLS 1.2 or TLS 1.3 disabled

    • Type: Icon: Bug Bug
    • Resolution: Unresolved
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: None
    • None
    • Server Security
    • Security 2025-03-17
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      When we are handshaking on ingress TLS connections, we attempt to decipher which TLS protocol we are using & return a clear error statement if the user requests an unsupported protocol. However, we cannot decipher between TLS 1.2 and 1.3 connections: https://github.com/10gen/mongo/blob/bbe81edfb4d3dcfb204f33e6ab171a49b2c704ee/src/mongo/transport/asio/asio_utils.cpp#L348-L351 

      This means that connections rejected because TLS 1.2 or TLS 1.3 is disabled will not return the correct protocol_version alert, and instead will simply close the connection.

      Now that we are supporting platforms running OpenSSL 1.1.1+ which supports TLS 1.3, we should fix this logic. Supporting TLS 1.3 in Atlas clusters is tracked in CLOUDP-124859.

            Assignee:
            Unassigned Unassigned
            Reporter:
            erin.mcnulty@mongodb.com Erin McNulty
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              None
              None
              None
              None