[SERVER-34237] Expose means for shell to disable TLS 1.0 Created: 30/Mar/18  Updated: 29/Oct/23  Resolved: 06/Apr/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 3.4.15, 3.6.5, 3.7.4

Type: Improvement Priority: Major - P3
Reporter: Davi Ottenheimer Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
depends on SERVER-32981 Disable TLS 1.0 by default Closed
Documented
is documented by DOCS-11559 Docs for SERVER-34237: Expose means f... Closed
Gantt Dependency
has to be done before SERVER-33329 Server and Shell do not emit TLS "pro... Closed
has to be done before SERVER-34477 Coverity analysis defect 103475: Inva... Closed
Related
Backwards Compatibility: Major Change
Backport Requested:
v3.6, v3.4
Sprint: Platforms 2018-04-09
Participants:

 Description   

Compliance requirements, such as PCI DSS v3.1, have mandated removal of TLS 1.0 by June 30th 2018. customers need a way not only to enable newer safe protocols but also to provably disable TLS 1.0. shell does not currently expose a means of disabling TLS protocols



 Comments   
Comment by Githook User [ 04/May/18 ]

Author:

{'email': 'spencer.jackson@mongodb.com', 'name': 'Spencer Jackson', 'username': 'spencerjackson'}

Message: SERVER-34237: Expose means for shell to disable TLS 1.0

(cherry picked from commit 547224050351961fa5b06b297277ec1ff85c89e7)
(cherry picked from commit fb710fbfcbe9f3479c8ef6bf636f89cc58bfc2be)
Branch: v3.4
https://github.com/mongodb/mongo/commit/a5923c25181622e8374c6891770267c9735bc3f1

Comment by Githook User [ 03/May/18 ]

Author:

{'email': 'spencer.jackson@mongodb.com', 'name': 'Spencer Jackson', 'username': 'spencerjackson'}

Message: SERVER-34237: Expose means for shell to disable TLS 1.0

(cherry picked from commit 547224050351961fa5b06b297277ec1ff85c89e7)
Branch: v3.6
https://github.com/mongodb/mongo/commit/fb710fbfcbe9f3479c8ef6bf636f89cc58bfc2be

Comment by Spencer Jackson [ 03/May/18 ]

I am marking this ticket as "Backport Required", as SERVER-33329 needs this for testing. The backported patch must not affect the default TLS minimum protocol, and probably should keep the new shell flag hidden.

Comment by Githook User [ 06/Apr/18 ]

Author:

{'email': 'sara.golemon@mongodb.com', 'name': 'Sara Golemon', 'username': 'sgolemon'}

Message: SERVER-34237 Allow disabling TLS versions in the shell and disable TLS 1.0 by default
Branch: master
https://github.com/mongodb/mongo/commit/547224050351961fa5b06b297277ec1ff85c89e7

Comment by Sara Golemon [ 03/Apr/18 ]

davi.ottenheimer, just FYI SERVER-32981 disables TLS 1.0 by default on the server side, so for consistency we're going to do the same on the client side. Note that this default disable only applies to builds where TLS 1.1 and later are available (which is most, but not all). If a user wants to explicitly enable TLS 1.0 (e.g. for connecting to a mongod running with an old version of OpenSSL), they'll be able to pass '--sslDisabledProtocols none' similar to server side.

Generated at Thu Feb 08 04:35:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.