[SERVER-48774] setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled) Created: 13/Jun/20 Updated: 29/Oct/23 Resolved: 14/Jul/20 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Security |
| Affects Version/s: | 4.2.7 |
| Fix Version/s: | 4.7.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Zhao Yuan | Assignee: | Adam Cooper (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Sprint: | Security 2020-07-13, Security 2020-07-27 | ||||||||||||
| Participants: | |||||||||||||
| Description |
|
In ssl_manager_openssl.cpp, the OpenSSL API SSL_CTX_set_cipher_list() only works for TLSv1.2 and below. If user configures TLSv1.3 only, SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites: " The related API for TLSv1.3 is SSL_CTX_set_ciphersuites(). Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html
|
| Comments |
| Comment by Githook User [ 14/Jul/20 ] |
|
Author: {'name': 'Adam Cooper', 'email': 'adam.cooper@mongodb.com', 'username': 'super-cooper'}Message: |
| Comment by Spencer Jackson [ 30/Jun/20 ] |
|
zyyzhao@gmail.com, thank you for reporting this issue. I can confirm this issue, and we are investigating a solution. As an interim workaround, you may be able to provide an OpenSSL configuration file path via the OPENSSL_CONF environment variable. This configuration file would specify the desired TLS 1.3 ciphersuites. An example configuration file is available in this upstream issue. |
| Comment by Carl Champain (Inactive) [ 15/Jun/20 ] |
|
Thank you for the report. Kind regards, |
| Comment by Zhao Yuan [ 14/Jun/20 ] |
|
If user configures TLSv1.3 cipher suite only, such as "TLS_CHACHA20_POLY1305_SHA256", SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites" |