[SERVER-25816] Disable TLS compression at runtime by default Created: 25/Aug/16  Updated: 06/Dec/22

Status: Open
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: features we're not sure of

Type: Improvement Priority: Trivial - P5
Reporter: Bernie Hackett Assignee: Backlog - Security Team
Resolution: Unresolved Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Assigned Teams:
Server Security
Participants:

 Description   

When using MongoDB with SSL/TLS you may or may not be using TLS compression depending on a number of factors including:

  • The OS provided OpenSSL may have disable it at compile time (recent RHEL releases)
  • You're using MongoDB on Windows (we build our vendored OpenSSL without compression)
  • The driver and driver version you are using. (C driver recently disabled compression, the python driver will soon, some language TLS libraries may by default.)

Though MongoDB isn't theoretically vulnerable to the CRIME attack, many users consider TLS compression a security problem.

For consistency, if for nothing else, we should explicitly disable TLS compression in the server at runtime. The patch is, essentially:

diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index d11d355..6d93210 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -614,6 +614,12 @@ Status SSLManager::initSSLContext(SSL_CTX* context,
     // SSL_OP_NO_SSLv3 - Disable SSL v3 support
     long supportedProtocols = SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
 
+    // SSL_OP_NO_COMPRESSION - Disables TLS compression
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+    supportedProtocols |= SSL_OP_NO_COMPRESSION;
+#endif
+
+
     // Set the supported TLS protocols. Allow --sslDisabledProtocols to disable selected
     // ciphers.
     if (!params.sslDisabledProtocols.empty()) {


Generated at Thu Feb 08 04:10:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.