-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Major - P3
-
None
-
Affects Version/s: None
-
Component/s: None
-
None
-
Server Security
-
Security 2025-03-17
-
None
-
None
-
None
-
None
-
None
-
None
-
None
When we are handshaking on ingress TLS connections, we attempt to decipher which TLS protocol we are using & return a clear error statement if the user requests an unsupported protocol. However, we cannot decipher between TLS 1.2 and 1.3 connections: https://github.com/10gen/mongo/blob/bbe81edfb4d3dcfb204f33e6ab171a49b2c704ee/src/mongo/transport/asio/asio_utils.cpp#L348-L351
This means that connections rejected because TLS 1.2 or TLS 1.3 is disabled will not return the correct protocol_version alert, and instead will simply close the connection.
Now that we are supporting platforms running OpenSSL 1.1.1+ which supports TLS 1.3, we should fix this logic. Supporting TLS 1.3 in Atlas clusters is tracked in CLOUDP-124859.
- related to
-
SERVER-33329 Server and Shell do not emit TLS "protocol_version" alert messages
-
- Closed
-