Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17967

MongoDB should explicitly disable RC4 for TLS

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • None
    • Affects Version/s: None
    • Component/s: Security
    • Labels:
      None
    • Fully Compatible
    • Security 2 04/24/15

      RC4 is considered weak for TLS. We should explicitly disable it through SSL_CTX_set_cipher_list. I think adding ":!RC4" to the existing string is all that's needed.

      https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            bernie@mongodb.com Bernie Hackett
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: