[SERVER-15822] Does MongoDB server have an ability to disable all SSL protocol versions and enable TLS only? Created: 27/Oct/14 Updated: 10/Dec/14 Resolved: 28/Oct/14 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security, Usability |
| Affects Version/s: | 2.7.8 |
| Fix Version/s: | None |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Georgii Iesaulov | Assignee: | Ramon Fernandez Marina |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: |
| Description |
|
Because of latest SSL protocol vulnerabilities, its usage should be minimized in corporate networks. Even if MongoDB clients (e.g. command line, C++ and Java drivers) have latest TLS versions specified and used particularly, in some conditions secured connections could be downgraded from TLS to SSL which is not acceptable. As I found - there is no such option now. Is there any plans to introduce it? Please advise as well, is there any guidelines and documents to support latest security practices by MongoDB? |
| Comments |
| Comment by Georgii Iesaulov [ 28/Oct/14 ] |
|
Ramón, many thanks for quick respond. |
| Comment by Ramon Fernandez Marina [ 28/Oct/14 ] |
|
esauloff, while there's no specific option to enable/disable SSL, For more information on security recommendations, please see the Security Tutorials and the MongoDB Security Guide. Regards, |