Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-57630

Enable SSL_OP_NO_RENEGOTIATION on Ubuntu 18.04 when running against OpenSSL 1.1.1

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major - P3
    • Resolution: Unresolved
    • Affects Version/s: 4.4.6
    • Fix Version/s: 5.1 Required
    • Component/s: None
    • Labels:
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      ALL
    • Backport Requested:
      v5.0, v4.4
    • Sprint:
      Security 2021-07-12, Security 2021-07-26, Security 2021-08-09
    • Case:
    • Linked BF Score:
      66

      Description

      The SSL_OP_NO_RENEGOTIATION was first added in the OpenSSL 1.1.1 release.

      https://github.com/openssl/openssl/commit/db0f35dda18

      It was backported to OpenSSL 1.1.0 and was shipped in 1.1.0h

      https://github.com/openssl/openssl/commit/6e127fdd1c7851eec4199cdec4ee0f8b748e7603

      Ubuntu 18.04 comes with 1.1.0g (the version prior to SSL_OP_NO_RENEGOTIATION being added). As a result, MongoDB makes builds on Ubuntu 18.04 but uses compile-time detection to determine if SSL_OP_NO_RENEGOTIATION exists. Since it does not exist at compile time, MongoDB does not know about the flag and so we never try to disable it at runtime.

      MongoDB should instead on 1.1.0 OpenSSL platforms (Ubuntu 18.04, SLES 15, Debian 9) define SSL_OP_NO_RENEGOTIATION instead and perform a runtime check to see if it should be set based on the OpenSSL version.

        Attachments

          Activity

            People

            Assignee:
            sara.golemon Sara Golemon
            Reporter:
            mark.benvenuto Mark Benvenuto
            Participants:
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Dates

              Created:
              Updated: