Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20401

Publicly expose net.ssl.disabledProtocols

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 2.6.12, 3.0.7, 3.1.9
    • Networking
    • None
    • Fully Compatible
    • Security 9 (09/18/15)

    Description

      This ticket changes server behaviour by exposing a new configuration parameter which prevents a MongoDB server running with SSL from accepting incoming connections using a particular protocol. For example, this might be useful when running the server in an environment where security policy forbids use of older versions of TLS.

      On the command line, it can be set with "--sslDisabledProtocols", and in a configuration file it may be set with "net.ssl.disabledProtocols". Either form accepts a string containing a comma separated list of protocols to disable. The recognized protocols are currently "TLS1_0", "TLS1_1", and "TLS1_2". An unrecognised protocol will prevent the server from starting. Be aware that cluster members must speak at least one protocol in common.

      Example 1: Disable TLS1_0 from the command line

      ./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0
      

      Example 2: Disable TLS1_0 and TLS1_1 from the command line

      ./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0,TLS1_1
      

      Example 3: Disable TLS1_0 and TLS1_1 using a YAML configuration file

      Start mongod using a configuration file which looks as follows:

      net:
          ssl:
              mode: "requireSSL"
              PEMKeyFile: "jstests/libs/server.pem"
              CAFile: "jstests/libs/ca.pem"
              disabledProtocols: "TLS1_0,TLS1_1"
      

      Attachments

        Issue Links

          Activity

            People

              spencer.jackson@mongodb.com Spencer Jackson
              spencer.jackson@mongodb.com Spencer Jackson
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: