[SERVER-20401] Publicly expose net.ssl.disabledProtocols Created: 14/Sep/15  Updated: 24/Feb/16  Resolved: 16/Sep/15

Status: Closed
Project: Core Server
Component/s: Networking
Affects Version/s: None
Fix Version/s: 2.6.12, 3.0.7, 3.1.9

Type: Improvement Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
is documented by DOCS-6227 add documentation for --sslDisabledPr... Closed
Related
is related to SERVER-17591 Add SSL flag to select supported prot... Closed
Backwards Compatibility: Fully Compatible
Backport Completed:
Sprint: Security 9 (09/18/15)
Participants:

 Description   

This ticket changes server behaviour by exposing a new configuration parameter which prevents a MongoDB server running with SSL from accepting incoming connections using a particular protocol. For example, this might be useful when running the server in an environment where security policy forbids use of older versions of TLS.

On the command line, it can be set with "--sslDisabledProtocols", and in a configuration file it may be set with "net.ssl.disabledProtocols". Either form accepts a string containing a comma separated list of protocols to disable. The recognized protocols are currently "TLS1_0", "TLS1_1", and "TLS1_2". An unrecognised protocol will prevent the server from starting. Be aware that cluster members must speak at least one protocol in common.

Example 1: Disable TLS1_0 from the command line

./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0

Example 2: Disable TLS1_0 and TLS1_1 from the command line

./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0,TLS1_1

Example 3: Disable TLS1_0 and TLS1_1 using a YAML configuration file

Start mongod using a configuration file which looks as follows:

net:
    ssl:
        mode: "requireSSL"
        PEMKeyFile: "jstests/libs/server.pem"
        CAFile: "jstests/libs/ca.pem"
        disabledProtocols: "TLS1_0,TLS1_1"



 Comments   
Comment by Githook User [ 16/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20401 Expose net.ssl.disabledProtocols
Branch: v2.6
https://github.com/mongodb/mongo/commit/acba4587845dd5a42af93a63addcc05d89d227fc

Comment by Githook User [ 16/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20401 Remove sslDisabledProtocols from shell
Branch: v3.0
https://github.com/mongodb/mongo/commit/022c5df7e091da9e71f6325695d21214ae1de769

Comment by Githook User [ 16/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20401 Remove sslDisabledProtocols from shell
Branch: master
https://github.com/mongodb/mongo/commit/06dafcba63a4c5fd75fff5ae6f96ca0377ec60ec

Comment by Githook User [ 16/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20401 Expose net.ssl.disabledProtocols
Branch: v3.0
https://github.com/mongodb/mongo/commit/2707aa16f1f74ca804bc07e7881f93443a024eb1

Comment by Githook User [ 16/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20401 Expose net.ssl.disabledProtocols
Branch: master
https://github.com/mongodb/mongo/commit/17dd2dbd5aa9cc7a31fdf4cc029d1e1395b628fa

Generated at Thu Feb 08 03:54:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.