[SERVER-31701] Shell cannot connect with --ssl to a mongod with TLS1_0 disabled Created: 24/Oct/17 Updated: 30/Oct/23 Resolved: 22/Apr/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Shell |
| Affects Version/s: | 3.4.9 |
| Fix Version/s: | features we're not sure of |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Vick Mena (Inactive) | Assignee: | Backlog - Security Team |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Assigned Teams: |
Server Security
|
| Backwards Compatibility: | Fully Compatible |
| Participants: |
| Description |
|
Shell cannot connect to mongod with TLS1_0 disabled The mongod log file
|
| Comments |
| Comment by Spencer Jackson [ 10/Jan/20 ] |
|
The server and shell now use SecureTransport on OS X, solving the issue that was initially reported. The general request that it shouldn't be possible to start processes with no usable TLS protocols is still legitimate, but seems like an improvement rather than a bug. I'm reclassifying this ticket. |
| Comment by Spencer Jackson [ 27/Oct/17 ] |
|
We pass a bitset of disabled protocols down to OpenSSL. When TLS 1.3 is released, it seams reasonable people will want to disable all protocols except 1.3. So, they will need to be able to disable all known protocol revisions. We will have to do additional work to figure out how to disable the new protocol. We could do a compile-time check as to what preprocessor macros were declared by OpenSSL, and use that to make a guess about what protocols are supported. However, from the OpenSSL blog:
This means if we built binaries against 1.1.0 which made this check at compile time, they might mistakenly error out if ran with newer libraries. This is just a specific example. Maintaining forwards and backwards compatibility with OpenSSL's APIs and ABIs is... tricky. There is a newer API for setting supported protocols, but it only exists in 1.1.0+. It's not available on our supported platforms yet, and will never exist on OS X. It might be able to return an error if no protocols are enabled. This will probably be the best way to do this, but it's isn't viable just yet. |
| Comment by Mark Benvenuto [ 24/Oct/17 ] |
|
After talking with vick.mena, the issue is that on MacOS X, MongoD is linked to "OpenSSL 0.9.8zh 14 Jan 2016" which does not support TLS 1.1, and TLS 1.2. This means we allowed the user to start an invalid configuration in this case. We could error if the user disables all supported TLS versions. MongoD already disables SSLv2 and SSLv3. |
| Comment by Mark Benvenuto [ 24/Oct/17 ] |
|
Which OS are you running? I does not repro for me with MongoDB 3.4.9 on Fedora 26 with OpenSSL 1.1.0f-fips 25 May 2017. Client: Server Note: /home/mark/mongo is mongo repo with test certificates |