[SERVER-15822] Does MongoDB server have an ability to disable all SSL protocol versions and enable TLS only? Created: 27/Oct/14  Updated: 10/Dec/14  Resolved: 28/Oct/14

Status: Closed
Project: Core Server
Component/s: Networking, Security, Usability
Affects Version/s: 2.7.8
Fix Version/s: None

Type: Question Priority: Major - P3
Reporter: Georgii Iesaulov Assignee: Ramon Fernandez Marina
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:

 Description   

Because of latest SSL protocol vulnerabilities, its usage should be minimized in corporate networks.

Even if MongoDB clients (e.g. command line, C++ and Java drivers) have latest TLS versions specified and used particularly, in some conditions secured connections could be downgraded from TLS to SSL which is not acceptable.
To deal with such cases (and with protocol downgrade attack as a result) - MongoDB server should have an ability to turn on/off usage of TLS protocols only without any usage of SSL protocols.

As I found - there is no such option now. Is there any plans to introduce it? Please advise as well, is there any guidelines and documents to support latest security practices by MongoDB?



 Comments   
Comment by Georgii Iesaulov [ 28/Oct/14 ]

Ramón, many thanks for quick respond.

Comment by Ramon Fernandez Marina [ 28/Oct/14 ]

esauloff, while there's no specific option to enable/disable SSL, SERVER-15673 disables SSLv3 cyphers (SSLv2 ones were already disabled) in response to CVE-2014-3566 "POODLE". The change is included in 2.7.8, and will be part of the next production releases.

For more information on security recommendations, please see the Security Tutorials and the MongoDB Security Guide.

Regards,
Ramón.

Generated at Thu Feb 08 03:39:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.