[SERVER-33329] Server and Shell do not emit TLS "protocol_version" alert messages Created: 14/Feb/18 Updated: 29/Oct/23 Resolved: 01/May/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security, Shell |
| Affects Version/s: | None |
| Fix Version/s: | 3.4.15, 3.6.5, 4.0.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||||||
| Backport Requested: |
v3.6, v3.4, v3.2
|
||||||||||||||||||||||||||||||||
| Sprint: | Platforms 2018-03-26, Platforms 2018-04-09, Platforms 2018-04-23, Platforms 2018-05-07 | ||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||
| Description |
|
When connecting a shell which only supports TLS1.0 to an instance of openssl s_server, running with the arguments openssl s_server -port 27017 -cert jstests/libs/server.pem -tls1_2, the following error is emitted:
When connecting the same shell to a mongod which only supports TLS1.2, the following is emitted instead:
No "alert protocol version" error was emitted. Per RFC 5246 Appendix E, TLS protocol version negotiation is:
If the client sends a protocol version which is older than the server's oldest supported version, or the server replies with a protocol which is older than the client's oldest supported version:
The has logic to print information about any fatal TLS errors it receives during handshake. However on protocol error, the server simply closes the socket without sending the alert message. It appears that ASIO does not flush its buffers to the network when "fatal" errors are emitted by OpenSSL. This doesn't seem to be correct. The following is how openssl s_server handles the raised error:
|
| Comments |
| Comment by Githook User [ 04/May/18 ] |
|
Author: {'email': 'spencer.jackson@mongodb.com', 'name': 'Spencer Jackson', 'username': 'spencerjackson'}Message: (cherry picked from commit 51af489a86f1862de87b51f26a9e818ec3b5df04) |
| Comment by Githook User [ 03/May/18 ] |
|
Author: {'email': 'spencer.jackson@mongodb.com', 'name': 'Spencer Jackson', 'username': 'spencerjackson'}Message: (cherry picked from commit 51af489a86f1862de87b51f26a9e818ec3b5df04) |
| Comment by Githook User [ 01/May/18 ] |
|
Author: {'email': 'spencer.jackson@mongodb.com', 'name': 'Spencer Jackson', 'username': 'spencerjackson'}Message: |