Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20401

Publicly expose net.ssl.disabledProtocols

    • Type: Icon: Improvement Improvement
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.6.12, 3.0.7, 3.1.9
    • Affects Version/s: None
    • Component/s: Networking
    • None
    • Fully Compatible
    • Security 9 (09/18/15)

      This ticket changes server behaviour by exposing a new configuration parameter which prevents a MongoDB server running with SSL from accepting incoming connections using a particular protocol. For example, this might be useful when running the server in an environment where security policy forbids use of older versions of TLS.

      On the command line, it can be set with "--sslDisabledProtocols", and in a configuration file it may be set with "net.ssl.disabledProtocols". Either form accepts a string containing a comma separated list of protocols to disable. The recognized protocols are currently "TLS1_0", "TLS1_1", and "TLS1_2". An unrecognised protocol will prevent the server from starting. Be aware that cluster members must speak at least one protocol in common.

      Example 1: Disable TLS1_0 from the command line

      ./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0
      

      Example 2: Disable TLS1_0 and TLS1_1 from the command line

      ./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0,TLS1_1
      

      Example 3: Disable TLS1_0 and TLS1_1 using a YAML configuration file

      Start mongod using a configuration file which looks as follows:

      net:
          ssl:
              mode: "requireSSL"
              PEMKeyFile: "jstests/libs/server.pem"
              CAFile: "jstests/libs/ca.pem"
              disabledProtocols: "TLS1_0,TLS1_1"
      

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: