Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-37714

Check for and set SSL_OP_NO_RENEGOTIATION

    XMLWordPrintable

Details

    • Question
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.3.1
    • Networking, Security
    • Fully Compatible
    • Security 2019-06-17

    Description

      TLS renegotiation is complicated, has been removed from TLS 1.3, and is not supported on the OS X and Windows native cryptography implementations. For consistency going forward, we should disable it on OpenSSL, if we are able to.

      Some versions of OpenSSL define SSL_OP_NO_RENEGOTIATION, which disabled renegotiation on TLS 1.2 and before. If this macro is defined, we should apply it to our SSL_CTX objects with SSL_CTX_set_options.

      Attachments

        Issue Links

          Activity

            People

              roxane.fruytier@mongodb.com Roxane Fruytier (Inactive)
              spencer.jackson@mongodb.com Spencer Jackson
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: