[SERVER-35064] OpenSSL Elliptic Curve Auto Negotiation Unsupported on RHEL 7 and Ubuntu 16.04 Created: 18/May/18  Updated: 06/Dec/22  Resolved: 14/Dec/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.6.4, 3.7.9
Fix Version/s: None

Type: Bug Priority: Critical - P2
Reporter: Matt Lord (Inactive) Assignee: Backlog - Security Team
Resolution: Duplicate Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
is duplicated by SERVER-36616 Enable ECDHE support if platform supp... Closed
Gantt Dependency
has to be done before SERVER-34911 Restrict TLS ciphers supported by ser... Closed
Problem/Incident
Related
Assigned Teams:
Server Security
Operating System: Linux
Participants:

 Description   

Linux distros that have been GA for some time like RHEL 7 and Ubuntu 16.04 had to shoehorn TLS 1.2 support in later OS updates without breaking ABI compatibility. 

See RHEL 7 for example.

The way this was done does not allow binaries built against the older ABI to enable curve auto negotiation for ECDHE ciphers in our "forward compatible" binaries--e.g. one RHEL7 binary supports 7.0-7.4. We will need to try and address this by, e.g.

  • Hardcoding some things into MongoDB
  • Potentially upgrading our build machines and OS minima to RHEL 7.4

Generated at Thu Feb 08 04:38:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.