Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 5.0.3, 4.4.9, 5.1.0-rc0
Affects Version/s: 4.4.6
Component/s: None
Labels:
- neweng

Backwards Compatibility:
Minor Change
Operating System:
ALL
Backport Requested:

v5.0, v4.4
Sprint:
Security 2021-07-12, Security 2021-07-26, Security 2021-08-09
Case:
Linked BF Score:
66
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

The SSL_OP_NO_RENEGOTIATION was first added in the OpenSSL 1.1.1 release.

https://github.com/openssl/openssl/commit/db0f35dda18

It was backported to OpenSSL 1.1.0 and was shipped in 1.1.0h

https://github.com/openssl/openssl/commit/6e127fdd1c7851eec4199cdec4ee0f8b748e7603

Ubuntu 18.04 comes with 1.1.0g (the version prior to SSL_OP_NO_RENEGOTIATION being added). As a result, MongoDB makes builds on Ubuntu 18.04 but uses compile-time detection to determine if SSL_OP_NO_RENEGOTIATION exists. Since it does not exist at compile time, MongoDB does not know about the flag and so we never try to disable it at runtime.

MongoDB should instead on 1.1.0 OpenSSL platforms (Ubuntu 18.04, SLES 15, Debian 9) define SSL_OP_NO_RENEGOTIATION instead and perform a runtime check to see if it should be set based on the OpenSSL version.

Assignee:: Sara Golemon (Inactive)
Reporter:: Mark Benvenuto
Participants:: Githook User, Hong Qing Zhou, Mark Benvenuto, Sara Golemon, Xian Wei Zhang
Votes:: 2 Vote for this issue
Watchers:: 8 Start watching this issue

Created:: Jun 11 2021 01:49:18 AM UTC
Updated:: Oct 29 2023 09:52:19 PM UTC
Resolved:: Aug 03 2021 03:13:27 AM UTC

Details

Description

Attachments

Activity

People

Dates