Major - P3 ISSUE DESCRIPTION AND IMPACT
When MongoDB is configured for FIPS mode on Linux systems that provide OpenSSL 3 for cryptographic operations, MongoDB may use cryptographic algorithms from non-FIPS-compliant providers. This can result, for example, in MongoDB allowing client connections with TLS using non-FIPS-compliant algorithms.
DIAGNOSIS AND AFFECTED VERSIONS
MongoDB 6.0 and later are affected when configured for FIPS mode on Linux systems using OpenSSL 3, when OpenSSL is configured to implicitly or explicitly activate the "default" cryptography provider. On most Linux systems the default OpenSSL 3 configuration explicitly activates the "default" provider.
If using MongoDB Ops Manager, FIPS mode is enabled via the tlsFIPSMode setting.
REMEDIATION AND WORKAROUNDS
Workaround
Upgrading to MongoDB 6.0.26, 7.0.23 or 8.0.13 prevents this issue from occurring.
Configuring OpenSSL 3 to use the FIPS module by default by explicitly activating only the "fips" and "base" providers via configuration, and then restarting MongoDB, prevents this issue from occurring on versions prior to 6.0.26, 7.0.23, and 8.0.13. The "fips" and "base" providers must be explicitly activated in the OpenSSL 3 configuration - OpenSSL 3 will implicitly activate the "default" provider if no other providers are configured.
Please reach out to MongoDB Support if you have any questions or issues with performing the steps above.
—-----------------------------------------------------
Original description
While examining the list of TLS cipher suites supported in FIPS mode, it appears that starting MongoDB Server with tlsFIPSMode on Amazon Linux 2023 did not disable any TLS algorithms.
NMAPDIR=. ./nmap --script ssl-enum-ciphers -p 27017 localhost Starting Nmap 7.97SVN ( https://nmap.org ) Nmap scan report for localhost (127.0.0.1) Host is up (0.000018s latency). Other addresses for localhost (not scanned): ::1 PORT STATE SERVICE 27017/tcp open mongod | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_128_CCM (dh 3072) - A | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_CCM (dh 3072) - A | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 3072) - A | TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 3072) - A | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 (dh 3072) - A | TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (dh 3072) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (secp256r1) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1) - A | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_128_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_AES_256_CCM (rsa 2048) - A | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_ARIA_128_GCM_SHA256 (rsa 2048) - A | TLS_RSA_WITH_ARIA_256_GCM_SHA384 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 2048) - A | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 (rsa 2048) - A | compressors: | NULL | cipher preference: client | TLSv1.3: | ciphers: | TLS_AKE_WITH_AES_128_CCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_AKE_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_AKE_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | cipher preference: client |_ least strength: A Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
The tool returned the same set of suites whether or not MongoDB was set to use FIPSMode.
To confirm this observation, openssl s_client was used to negotiate a non-FIPS compliant algorithm with a FIPS enabled MongoDB Server:
ubuntu@ip-10-122-9-165:~/nmap$ openssl s_client -tls1_2 -cipher ECDHE-RSA-CHACHA20-POLY1305 localhost:27017 CONNECTED(00000003) ... Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2825 bytes and written 233 bytes Verification error: self-signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305