[DOCS-13767] [Server] Setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled) (SERVER-48774) Created: 14/Jul/20  Updated: 13/Nov/23  Due: 05/Mar/21  Resolved: 11/Mar/21

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.7.0, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Backlog - Core Eng Program Management Team Assignee: Andrew Feierabend (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-48774 setting cipher list does not work for... Closed
Participants:
Days since reply: 2 years, 47 weeks, 6 days ago
Epic Link: DOCSP-9747
Story Points: 2

 Description   

Description

Downstream Change Summary

OpenSSL requires a separate function to set ciphers that are exclusive to TLS v1.3 and beyond; see https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html

We added a separate setParameter called opensslCipherSuiteConfig which allows you to set these ciphers with a colon-separated list. The format of this list and available ciphers are described on the OpenSSL documentation linked above. We pass the string provided to the configuration option directly to OpenSSL, so it should conform exactly to their standard.

Description of Linked Ticket

In ssl_manager_openssl.cpp, the OpenSSL API SSL_CTX_set_cipher_list() only works for TLSv1.2 and below. 

If user configures TLSv1.3 only, SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites: "

The related API for TLSv1.3 is SSL_CTX_set_ciphersuites().

Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html

 

Scope of changes

Impact to Other Docs

MVP (Work and Date)

Resources (Scope or Design Docs, Invision, etc.)



 Comments   
Comment by Githook User [ 11/Mar/21 ]

Author:

{'name': 'Andrew Feierabend', 'email': 'andrew.feierabend@mongodb.com', 'username': 'andf-mongodb'}

Message: DOCS-13767 document opensslCipherSuiteConfig parameter
Branch: v5.0
https://github.com/mongodb/docs/commit/cf9fac070984e0447de4540d66591a77f521b637

Generated at Thu Feb 08 08:08:40 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.