[DOCS-13767] [Server] Setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled) (SERVER-48774) Created: 14/Jul/20 Updated: 13/Nov/23 Due: 05/Mar/21 Resolved: 11/Mar/21 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual, Server |
| Affects Version/s: | None |
| Fix Version/s: | 4.7.0, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Backlog - Core Eng Program Management Team | Assignee: | Andrew Feierabend (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Participants: | |||||||||
| Days since reply: | 2 years, 47 weeks, 6 days ago | ||||||||
| Epic Link: | DOCSP-9747 | ||||||||
| Story Points: | 2 | ||||||||
| Description |
DescriptionDownstream Change Summary OpenSSL requires a separate function to set ciphers that are exclusive to TLS v1.3 and beyond; see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html We added a separate setParameter called opensslCipherSuiteConfig which allows you to set these ciphers with a colon-separated list. The format of this list and available ciphers are described on the OpenSSL documentation linked above. We pass the string provided to the configuration option directly to OpenSSL, so it should conform exactly to their standard. Description of Linked TicketIn ssl_manager_openssl.cpp, the OpenSSL API SSL_CTX_set_cipher_list() only works for TLSv1.2 and below. If user configures TLSv1.3 only, SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites: " The related API for TLSv1.3 is SSL_CTX_set_ciphersuites(). Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
Scope of changesImpact to Other DocsMVP (Work and Date)Resources (Scope or Design Docs, Invision, etc.) |
| Comments |
| Comment by Githook User [ 11/Mar/21 ] |
|
Author: {'name': 'Andrew Feierabend', 'email': 'andrew.feierabend@mongodb.com', 'username': 'andf-mongodb'}Message: |