Details
-
Question
-
Resolution: Done
-
Major - P3
-
None
-
2.7.8
-
None
Description
Because of latest SSL protocol vulnerabilities, its usage should be minimized in corporate networks.
Even if MongoDB clients (e.g. command line, C++ and Java drivers) have latest TLS versions specified and used particularly, in some conditions secured connections could be downgraded from TLS to SSL which is not acceptable.
To deal with such cases (and with protocol downgrade attack as a result) - MongoDB server should have an ability to turn on/off usage of TLS protocols only without any usage of SSL protocols.
As I found - there is no such option now. Is there any plans to introduce it? Please advise as well, is there any guidelines and documents to support latest security practices by MongoDB?