[SERVER-36250] Add support for optionally logging specific negotiated TLS versions Created: 23/Jul/18  Updated: 29/Oct/23  Resolved: 19/Sep/18

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 3.4.19, 3.6.9, 4.0.4, 4.1.4

Type: Task Priority: Minor - P4
Reporter: Mark Benvenuto Assignee: Mark Benvenuto
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Problem/Incident
causes SERVER-45803 mongodecrypt needs a ServiceContext Closed
Related
related to SERVER-37130 Add TLS version counting to mongos Closed
is related to SERVER-34558 Add SSL_version to client metadata lo... Closed
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Platforms 2018-08-27, Security 2018-09-10, Security 2018-09-24
Participants:
Linked BF Score: 0

 Description   

A flag and config flag needs to be added so that the server will log TLS connections of a specific set of versions.

Possible syntax:
--tlsLogTLSVersions=[TLS1_0, TLS1_1, TLS1_2]

This will log to the log file as:
Accepted from TLS Version 1.0 from connection 127.0.0.1

CC cory.mintz



 Comments   
Comment by Githook User [ 11/Dec/18 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-36250 Add support for optionally logging specific negotiated TLS versions

(cherry picked from commit 573f92bd3567a70f2b6bdc8295a9d230dec1cf04)
Branch: v3.4
https://github.com/mongodb/mongo/commit/6e6ee2948919f59d27fa9aec46cbc3294c700991

Comment by Githook User [ 31/Oct/18 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-36250 Add support for optionally logging specific negotiated TLS versions

(cherry picked from commit c377f378176e34987babf95db8ed70a12ce44b4f)
Branch: v3.6
https://github.com/mongodb/mongo/commit/573f92bd3567a70f2b6bdc8295a9d230dec1cf04

Comment by Eric Milkie [ 30/Oct/18 ]

Note that the previous cherry-pick to 4.0 broke compilation in that branch; the reason appears to be that ssl_options_test.cpp slurped in more lines from master than were touched by Mark's commit (his touched 8 lines but spencer.jackson's cherry-pick for the same file added 272 lines).
This was complicated by the fact that these lines are guarded by a config macro that is only enabled on Windows and MacOS, so that is probably how the failure was missed in patch testing.

Comment by Githook User [ 29/Oct/18 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-36250 Add support for optionally logging specific negotiated TLS versions

(cherry picked from commit 0780841a51470b33105ec2b0a7831531b82d0a8d)
Branch: v4.0
https://github.com/mongodb/mongo/commit/c377f378176e34987babf95db8ed70a12ce44b4f

Comment by Benjamin Caimano (Inactive) [ 21/Sep/18 ]

Yep, this is also something we should backport.

Comment by Githook User [ 17/Sep/18 ]

Author:

{'name': 'Mark Benvenuto', 'email': 'mark.benvenuto@mongodb.com', 'username': 'markbenvenuto'}

Message: SERVER-36250 Add support for optionally logging specific negotiated TLS versions
Branch: master
https://github.com/mongodb/mongo/commit/0780841a51470b33105ec2b0a7831531b82d0a8d

Generated at Thu Feb 08 04:42:32 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.