[SERVER-37135] TLSVersionCounts needs to track and report TLS 1.3 Created: 14/Sep/18  Updated: 29/Oct/23  Resolved: 10/Oct/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.6.9, 4.0.4, 4.1.4, 3.4.24

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Fixed Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Documented
is documented by DOCS-12145 Docs for SERVER-37135: TLSVersionCoun... Closed
Duplicate
duplicates SERVER-37137 Allow TLS 1.3 to be used in --tlsDisa... Closed
is duplicated by SERVER-37366 Compiling Error encountered in Mongod... Closed
Problem/Incident
causes SERVER-44993 ssl_count_protocols.js should not eva... Closed
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Security 2018-10-08, Security 2018-10-22
Participants:

 Description   

ArchLinux has just received packages for OpenSSL 1.1.1, which provides support for TLS 1.3.

ssl_manager_openssl.cpp attempts to increment TLS version counts for TLS 1.3, if it is compiled against a version of OpenSSL which exposes a relevant preprocessor macro. However, TLSVersionCounts is missing the member variable which needs to be incremented.

This causes compilation to fail.

We likely additionally need an "unknown" field. MongoDB binaries compiled against old versions of OpenSSL, but dynamically linked against newer versions may be able to negotiate TLS 1.3 while not having access to compile time constants which identify the protocol.

In order to test this functionality, we will need to add support for TLS 1.3 to be used in tlsDisableProtocols, on platforms that support the protocol



 Comments   
Comment by Githook User [ 03/Dec/19 ]

Author:

{'email': 'john.chen@mongodb.com', 'name': 'John Chen'}

Message: SERVER-37135: Track and report TLS 1.3

(cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7)
(cherry picked from commit 8c1de7e08de30a38f3d878118248735e6e2ea72a)
Branch: v3.4
https://github.com/mongodb/mongo/commit/5cd7e9a0ca88583ad94243d00032486c0ee9052c

Comment by Githook User [ 31/Oct/18 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-37135: Track and report TLS 1.3

(cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7)
Branch: v3.6
https://github.com/mongodb/mongo/commit/8c1de7e08de30a38f3d878118248735e6e2ea72a

Comment by Githook User [ 29/Oct/18 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-37135: Track and report TLS 1.3

(cherry picked from commit 670963110d9d226824842d22540a79154fce59a1)
Branch: v4.0
https://github.com/mongodb/mongo/commit/cbb76539c47068f8836ed05283763e687cf126a7

Comment by Githook User [ 10/Oct/18 ]

Author:

{'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}

Message: SERVER-37135: Track and report TLS 1.3
Branch: master
https://github.com/mongodb/mongo/commit/670963110d9d226824842d22540a79154fce59a1

Comment by Dimitri John Ledkov [ 09/Oct/18 ]

Ok. thanks. It's just that I have landed OpenSSL 1.1.1 in Ubuntu 18.10, whilst not having tls13 patched up in mongodb =/ I am expecting havoc when we release Ubuntu 18.10 next thursday =)

Comment by Spencer Jackson [ 09/Oct/18 ]

Hi xnox, we don't use PRs for code review, and I'm afraid our CR system is behind our authentication system. I expect this patch to land shortly into our master branch. When it does, this ticket will be updated to include a link to the commit, and you'll have visibility to it from there.

Comment by Dimitri John Ledkov [ 09/Oct/18 ]

Is there a URL to PR?

Comment by Dimitri John Ledkov [ 23/Sep/18 ]

Well, struct TLSVersionCounts should add 'tls13' anyway, unconditionally.

Generated at Thu Feb 08 04:45:04 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.