Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20401

Publicly expose net.ssl.disabledProtocols

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.12, 3.0.7, 3.1.9
    • Component/s: Networking
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Completed:
    • Sprint:
      Security 9 (09/18/15)

      Description

      This ticket changes server behaviour by exposing a new configuration parameter which prevents a MongoDB server running with SSL from accepting incoming connections using a particular protocol. For example, this might be useful when running the server in an environment where security policy forbids use of older versions of TLS.

      On the command line, it can be set with "--sslDisabledProtocols", and in a configuration file it may be set with "net.ssl.disabledProtocols". Either form accepts a string containing a comma separated list of protocols to disable. The recognized protocols are currently "TLS1_0", "TLS1_1", and "TLS1_2". An unrecognised protocol will prevent the server from starting. Be aware that cluster members must speak at least one protocol in common.

      Example 1: Disable TLS1_0 from the command line

      ./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0
      

      Example 2: Disable TLS1_0 and TLS1_1 from the command line

      ./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0,TLS1_1
      

      Example 3: Disable TLS1_0 and TLS1_1 using a YAML configuration file

      Start mongod using a configuration file which looks as follows:

      net:
          ssl:
              mode: "requireSSL"
              PEMKeyFile: "jstests/libs/server.pem"
              CAFile: "jstests/libs/ca.pem"
              disabledProtocols: "TLS1_0,TLS1_1"
      

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: