[SERVER-17967] MongoDB should explicitly disable RC4 for TLS Created: 09/Apr/15 Updated: 14/Apr/16 Resolved: 13/Apr/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Bernie Hackett | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Sprint: | Security 2 04/24/15 |
| Participants: |
| Description |
|
RC4 is considered weak for TLS. We should explicitly disable it through SSL_CTX_set_cipher_list. I think adding ":!RC4" to the existing string is all that's needed. https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what |
| Comments |
| Comment by Andreas Nilsson [ 13/Apr/15 ] |
|
Closing this as "Works as Designed" since we only use HIGH OpenSSL ciphers and that excludes all RC4 permutation. |