[DOCS-11559] Docs for SERVER-34237: Expose means for shell to disable TLS 1.0 Created: 09/Apr/18  Updated: 29/Oct/23  Resolved: 10/Jun/18

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 3.7.4, 3.4.15, 4.0.0-rc0, 3.6.5

Type: Task Priority: Major - P3
Reporter: Kay Kim (Inactive) Assignee: Kay Kim (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-34237 Expose means for shell to disable TLS... Closed
Related
related to DOCS-11541 Docs for SERVER-32981: Disable TLS 1.... Closed
Participants:
Days since reply: 5 years, 35 weeks, 4 days ago
Epic Link: DOCS: 4.0 Server
Story Points: 1.5

 Description   

Description

This change disables TLS 1.0 encryption when using the shell client if TLS 1.1 or greater is available on the system. This change also adds support for the --sslDisabledProtocols option to the shell client. To make connections using TLS 1.0 using the shell, specify --sslDisabledProtocols 'none'

Scope of changes (files that need work and how much)

  • Add section to mongo reference page stating that 4.0 shell disables TLS 1.0 encryption if the host system supports TLS1.1 or greater.
  • Add new parameter to mongo reference page --sslDisabledProtocols
    • specify none for enabling TLS 1.0
    • specify comma delimited list of protocols to disable.
  • Add section to 4.0 release notes/4.0-compatibility stating that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+. Point to --sslDisabledProtocols : "none" for re-enabling TLS1.0
  • Add note to the Encryption pages with TLS references that TLS 1.0 is disabled in 4.0+ shell if the host system supports TLS 1.1+, and point to release notes
  • tutorial/configure-ssl-clients
  • backport to 3.6.5
    • just the mongo option and mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)
  • backport to 3.4.15
    • just the mongo option and the mongo page changes (remove 4.0 blurb about default TLS 1.0 disabled)

Optional: Potentially point to the PCI SSC announcement in the release notes for why MongoDB is removing support for TLS 1.0.

Impact to other docs outside of this product

  • Add a note to the Atlas page for connecting via Shell that the 4.0 shell disables TLS 1.0 if TLS 1.1+ is available on the system. Need to confirm with engineering whether this is something that might cause issues, or is just a 'good to know'. – Will be done per usual via docs needed flag.
  • Other products – also done per usual with docs needed flag.

MVP (work and date?)

Resources (e.g. Scope Docs, Invision)

PCI SSC announcement
PCI DSS 3.1+ FAQ on earl SSL/TLS removal

Engineering Ticket Description:

Compliance requirements, such as PCI DSS v3.1, have mandated removal of TLS 1.0 by June 30th 2018. customers need a way not only to enable newer safe protocols but also to provably disable TLS 1.0. shell does not currently expose a means of disabling TLS protocols



 Comments   
Comment by Githook User [ 10/Jun/18 ]

Author:

{'username': 'kay-kim', 'name': 'kay', 'email': 'kay.kim@10gen.com'}

Message: DOCS-11559: mongo shell --sslDisabledProtocols
Branch: v3.4
https://github.com/mongodb/docs/commit/e03f3a92300d8cc8630ece05bd2bf1a6f6b680f8

Comment by Githook User [ 10/Jun/18 ]

Author:

{'username': 'kay-kim', 'name': 'kay', 'email': 'kay.kim@10gen.com'}

Message: DOCS-11559: mongo shell --sslDisabledProtocols
Branch: v3.6
https://github.com/mongodb/docs/commit/fd197cf67deea083837de11aede960e32777c2bd

Comment by Githook User [ 10/Jun/18 ]

Author:

{'username': 'kay-kim', 'name': 'kay', 'email': 'kay.kim@10gen.com'}

Message: DOCS-11541,DOCS-11559: disable TLS 1.0
Branch: master
https://github.com/mongodb/docs/commit/0a979235dd997069d0cd66369a6094bd78d276c0

Generated at Thu Feb 08 08:03:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.