Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17967

MongoDB should explicitly disable RC4 for TLS

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • None
    • None
    • Security
    • None
    • Fully Compatible
    • Security 2 04/24/15

    Description

      RC4 is considered weak for TLS. We should explicitly disable it through SSL_CTX_set_cipher_list. I think adding ":!RC4" to the existing string is all that's needed.

      https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

      Attachments

        Activity

          People

            spencer.jackson@mongodb.com Spencer Jackson
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: