[SERVER-37714] Check for and set SSL_OP_NO_RENEGOTIATION Created: 23/Oct/18  Updated: 29/Oct/23  Resolved: 06/Jun/19

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: None
Fix Version/s: 4.3.1

Type: Question Priority: Major - P3
Reporter: Spencer Jackson Assignee: Roxane Fruytier (Inactive)
Resolution: Fixed Votes: 0
Labels: neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by DRIVERS-580 Disable TLS renegotiation when possible Implementing
Related
Backwards Compatibility: Fully Compatible
Sprint: Security 2019-06-17
Participants:

 Description   

TLS renegotiation is complicated, has been removed from TLS 1.3, and is not supported on the OS X and Windows native cryptography implementations. For consistency going forward, we should disable it on OpenSSL, if we are able to.

Some versions of OpenSSL define SSL_OP_NO_RENEGOTIATION, which disabled renegotiation on TLS 1.2 and before. If this macro is defined, we should apply it to our SSL_CTX objects with SSL_CTX_set_options.



 Comments   
Comment by Githook User [ 06/Jun/19 ]

Author:

{'name': 'Roxane', 'email': 'roxane.fruytier@10gen.com'}

Message: SERVER-37714 Set SSL_OP_NO_RENEGOTIATION if defined
Branch: master
https://github.com/mongodb/mongo/commit/b1a57f73a3b3bdc8e1b088838aa04a475115dd96

Generated at Thu Feb 08 04:46:48 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.