[SERVER-37714] Check for and set SSL_OP_NO_RENEGOTIATION Created: 23/Oct/18 Updated: 29/Oct/23 Resolved: 06/Jun/19 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Networking, Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.3.1 |
| Type: | Question | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Roxane Fruytier (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Sprint: | Security 2019-06-17 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
TLS renegotiation is complicated, has been removed from TLS 1.3, and is not supported on the OS X and Windows native cryptography implementations. For consistency going forward, we should disable it on OpenSSL, if we are able to. Some versions of OpenSSL define SSL_OP_NO_RENEGOTIATION, which disabled renegotiation on TLS 1.2 and before. If this macro is defined, we should apply it to our SSL_CTX objects with SSL_CTX_set_options. |
| Comments |
| Comment by Githook User [ 06/Jun/19 ] |
|
Author: {'name': 'Roxane', 'email': 'roxane.fruytier@10gen.com'}Message: |