[SERVER-17967] MongoDB should explicitly disable RC4 for TLS Created: 09/Apr/15  Updated: 14/Apr/16  Resolved: 13/Apr/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Bernie Hackett Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Sprint: Security 2 04/24/15
Participants:

 Description   

RC4 is considered weak for TLS. We should explicitly disable it through SSL_CTX_set_cipher_list. I think adding ":!RC4" to the existing string is all that's needed.

https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what



 Comments   
Comment by Andreas Nilsson [ 13/Apr/15 ]

Closing this as "Works as Designed" since we only use HIGH OpenSSL ciphers and that excludes all RC4 permutation.

Generated at Thu Feb 08 03:46:08 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.