[DOCS-11541] Docs for SERVER-32981: Disable TLS 1.0 by default Created: 04/Apr/18  Updated: 29/Oct/23  Resolved: 11/Jun/18

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 3.7.4

Type: Task Priority: Major - P3
Reporter: Kay Kim (Inactive) Assignee: Kay Kim (Inactive)
Resolution: Fixed Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-32981 Disable TLS 1.0 by default Closed
Related
is related to DOCS-11559 Docs for SERVER-34237: Expose means f... Closed
Participants:
Days since reply: 5 years, 35 weeks, 2 days ago
Epic Link: DOCS: 4.0 Server

 Description   

Documentation Request Summary:

This change disabled the use of TLS 1.0 in most circumstances*. Clients attempting to connect to such server instances via SSL may fail due to this change as they do not support TLS 1.1 or later**.

In such (rare) cases, administrators should configure "net.ssl.disabledProtocols = none" in their config YaML file, or specify '--sslDisabledProtocols none' via the command line to re-enable TLS 1.0 support.

  • When mongod/mongos are built with older versions of OpenSSL, TLS 1.0 support will NOT be disabled by default since these versions of OpenSSL do not support TLS 1.1 or later. Additionally, we do not auto-disable TLS 1.0 on OSX regardless of the OpenSSL version used (or even if using Native TLS), since other tooling on the system is likely built against an old version of OpenSSL and would not support TLS 1.0).
    • "Older" vesions of OpenSSL is defined as OpenSSL 1.0.0k or earlier.

Scope of changes:

  • Add section to 4.0 release notes/4.0-compatibility
  • source/includes/options-mongod.yaml
  • source/reference/program/mongod.txt
  • source/reference/program/mongos.txt
  • tutorial/configure-ssl
  • tutorial/upgrade-cluster-to-ssl
  • /tutorial/configure-fips.txt
  • source/core/security-transport-encryption.txt
  • x509 tutorials
    • source/administration/security-checklist.txt
    • source/core/security-encryption.txt
    • source/core/security-internal-authentication.txt
    • source/core/security-x.509.txt
    • source/tutorial/configure-x509-client-authentication.txt
    • source/tutorial/configure-x509-member-authentication.txt
    • source/tutorial/upgrade-keyfile-to-x509.txt

Impact to other docs outside of this product:

per meeting, tickets filed separate per product

MVP:

Resources:

Engineering Ticket Description:

TLS 1.0 will be disabled by default on all platforms where MongoDB is linked against OpenSSL 1.0.1 or later.

A new boolean startup server parameter will be added “enableInsecureTLS1_0” to enable TLS 1.0. It is an error to set this parameter if net.ssl.disabledProtocols contains "noTLS1_0".



 Comments   
Comment by Kay Kim (Inactive) [ 11/Jun/18 ]

republishing now with fix

Comment by Githook User [ 11/Jun/18 ]

Author:

{'username': 'kay-kim', 'name': 'kay', 'email': 'kay.kim@10gen.com'}

Message: DOCS-11541: remove except on macOS for mongo shell option
Branch: master
https://github.com/mongodb/docs/commit/bc5e9e16fe45b1183b0c6f1583016855fc1d8ea5

Comment by Githook User [ 10/Jun/18 ]

Author:

{'username': 'kay-kim', 'name': 'kay', 'email': 'kay.kim@10gen.com'}

Message: DOCS-11541,DOCS-11559: disable TLS 1.0
Branch: master
https://github.com/mongodb/docs/commit/0a979235dd997069d0cd66369a6094bd78d276c0

Comment by Kay Kim (Inactive) [ 07/Jun/18 ]

matt.lord – so is it only the shell changes that have been backported to 3.4.15 and 3.6.5?

Comment by Kay Kim (Inactive) [ 25/May/18 ]

shannon.bradshaw – So, I'll run the script to update the fixVersion for DOCS-11559 – as the fixVersion has been updated on SERVER-34237

Comment by Shannon Bradshaw (Inactive) [ 25/May/18 ]

kay.kim, I don't see a ticket to explicitly capture support for safe TLS on 3.6 as well. We are backporting support to 3.6. Do you want to capture that work here or in a separate ticket?

https://jira.mongodb.org/browse/PRODUCT-774

Generated at Thu Feb 08 08:03:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.