[SERVER-37135] TLSVersionCounts needs to track and report TLS 1.3 Created: 14/Sep/18 Updated: 29/Oct/23 Resolved: 10/Oct/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 3.6.9, 4.0.4, 4.1.4, 3.4.24 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Fixed | Votes: | 2 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||||||||||||||
| Backport Requested: |
v4.0, v3.6, v3.4
|
||||||||||||||||||||||||||||||||
| Sprint: | Security 2018-10-08, Security 2018-10-22 | ||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||
| Description |
|
ArchLinux has just received packages for OpenSSL 1.1.1, which provides support for TLS 1.3. ssl_manager_openssl.cpp attempts to increment TLS version counts for TLS 1.3, if it is compiled against a version of OpenSSL which exposes a relevant preprocessor macro. However, TLSVersionCounts is missing the member variable which needs to be incremented. This causes compilation to fail. We likely additionally need an "unknown" field. MongoDB binaries compiled against old versions of OpenSSL, but dynamically linked against newer versions may be able to negotiate TLS 1.3 while not having access to compile time constants which identify the protocol. In order to test this functionality, we will need to add support for TLS 1.3 to be used in tlsDisableProtocols, on platforms that support the protocol |
| Comments |
| Comment by Githook User [ 03/Dec/19 ] |
|
Author: {'email': 'john.chen@mongodb.com', 'name': 'John Chen'}Message: (cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7) |
| Comment by Githook User [ 31/Oct/18 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7) |
| Comment by Githook User [ 29/Oct/18 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: (cherry picked from commit 670963110d9d226824842d22540a79154fce59a1) |
| Comment by Githook User [ 10/Oct/18 ] |
|
Author: {'name': 'Spencer Jackson', 'email': 'spencer.jackson@mongodb.com', 'username': 'spencerjackson'}Message: |
| Comment by Dimitri John Ledkov [ 09/Oct/18 ] |
|
Ok. thanks. It's just that I have landed OpenSSL 1.1.1 in Ubuntu 18.10, whilst not having tls13 patched up in mongodb =/ I am expecting havoc when we release Ubuntu 18.10 next thursday =) |
| Comment by Spencer Jackson [ 09/Oct/18 ] |
|
Hi xnox, we don't use PRs for code review, and I'm afraid our CR system is behind our authentication system. I expect this patch to land shortly into our master branch. When it does, this ticket will be updated to include a link to the commit, and you'll have visibility to it from there. |
| Comment by Dimitri John Ledkov [ 09/Oct/18 ] |
|
Is there a URL to PR? |
| Comment by Dimitri John Ledkov [ 23/Sep/18 ] |
|
Well, struct TLSVersionCounts should add 'tls13' anyway, unconditionally. |