[DRIVERS-580] Disable TLS renegotiation when possible Created: 23/Oct/18  Updated: 13/Apr/22

Status: Implementing
Project: Drivers
Component/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Bernie Hackett Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: newdriver
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on CDRIVER-2934 Disable TLS renegotiation when possible Closed
depends on CXX-1717 Disable TLS renegotiation when possible Closed
depends on MOTOR-299 Disable TLS renegotiation when possible Closed
depends on NODE-1841 Disable TLS renegotiation when possible Closed
depends on PHPC-1315 Disable TLS renegotiation when possible Closed
depends on PYTHON-1726 Disable TLS renegotiation when possible Closed
depends on RUBY-1685 Disable TLS renegotiation when possible Closed
depends on RUST-131 Disable TLS renegotiation when possible Closed
depends on CSHARP-2843 Disable TLS renegotiation when possible Backlog
depends on GODRIVER-1403 Disable TLS renegotiation when possible Closed
depends on JAVA-3505 Disable TLS renegotiation when possible Closed
depends on SERVER-37714 Check for and set SSL_OP_NO_RENEGOTIA... Closed
Duplicate
Related
Server Compat: 4.3
Driver Compliance:
Key Status/Resolution FixVersion
NODE-1841 Fixed 3.2.0
PYTHON-1726 Fixed 3.8
PERL-1054 Done 2.1.1
RUBY-1685 Fixed 2.10.0.rc0
CXX-1717 Done
PHPC-1315 Done
RUST-131 Works as Designed
MOTOR-299 Fixed 2.1
CDRIVER-2934 Fixed 1.16.0
SWIFT-487 Works as Designed
JAVA-3505 Works as Designed
CSHARP-2843 Backlog
GODRIVER-1403 Works as Designed

 Description   

TLS renegotiation is complicated, has been removed from TLS 1.3, and is not supported on the OS X and Windows native cryptography implementations. For consistency going forward, we should disable it on OpenSSL, if we are able to.

Some versions of OpenSSL define SSL_OP_NO_RENEGOTIATION, which disables renegotiation on TLS 1.2 and before. Drivers using OpenSSL should set the SSL_OP_NO_RENEGOTIATION flag on the SSL Context when defined.


Generated at Thu Feb 08 08:21:52 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.