Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-37714

Check for and set SSL_OP_NO_RENEGOTIATION

    XMLWordPrintableJSON

Details

    • Question
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.3.1
    • Networking, Security
    • Fully Compatible
    • Security 2019-06-17

    Description

      TLS renegotiation is complicated, has been removed from TLS 1.3, and is not supported on the OS X and Windows native cryptography implementations. For consistency going forward, we should disable it on OpenSSL, if we are able to.

      Some versions of OpenSSL define SSL_OP_NO_RENEGOTIATION, which disabled renegotiation on TLS 1.2 and before. If this macro is defined, we should apply it to our SSL_CTX objects with SSL_CTX_set_options.

      Attachments

        Issue Links

          is depended on by

          Improvement - An improvement or enhancement to an existing feature or task. DRIVERS-580 Disable TLS renegotiation when possible

          • Major - P3 - Major loss of function.
          • Implementing

          Activity

            People

              roxane.fruytier@mongodb.com Roxane Fruytier (Inactive)
              spencer.jackson@mongodb.com Spencer Jackson
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: