[SERVER-48774] setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled) Created: 13/Jun/20  Updated: 29/Oct/23  Resolved: 14/Jul/20

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 4.2.7
Fix Version/s: 4.7.0

Type: Bug Priority: Major - P3
Reporter: Zhao Yuan Assignee: Adam Cooper (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by DOCS-13767 [Server] Setting cipher list does not... Closed
Backwards Compatibility: Minor Change
Operating System: ALL
Sprint: Security 2020-07-13, Security 2020-07-27
Participants:

 Description   

In ssl_manager_openssl.cpp, the OpenSSL API SSL_CTX_set_cipher_list() only works for TLSv1.2 and below. 

If user configures TLSv1.3 only, SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites: "

The related API for TLSv1.3 is SSL_CTX_set_ciphersuites().

Reference: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_cipher_list.html

 



 Comments   
Comment by Githook User [ 14/Jul/20 ]

Author:

{'name': 'Adam Cooper', 'email': 'adam.cooper@mongodb.com', 'username': 'super-cooper'}

Message: SERVER-48774 setting cipher list does not work for TLSv1.3 only (if TLS1_0, TLS1_1, TLS1_2 are disabled)
Branch: master
https://github.com/mongodb/mongo/commit/c02d19aebdba13451d576f56885e3358dad90e48

Comment by Spencer Jackson [ 30/Jun/20 ]

zyyzhao@gmail.com, thank you for reporting this issue. I can confirm this issue, and we are investigating a solution. As an interim workaround, you may be able to provide an OpenSSL configuration file path via the OPENSSL_CONF environment variable. This configuration file would specify the desired TLS 1.3 ciphersuites. An example configuration file is available in this upstream issue.

Comment by Carl Champain (Inactive) [ 15/Jun/20 ]

Hi zyyzhao@gmail.com,

Thank you for the report.
We are passing this ticket along to the appropriate team for further investigation. Updates will be posted on this ticket as they happen.

Kind regards,
Carl

Comment by Zhao Yuan [ 14/Jun/20 ]

If user configures TLSv1.3 cipher suite only, such as "TLS_CHACHA20_POLY1305_SHA256", SSL_CTX_set_cipher_list() returns 0 and causes an error: "Can not set supported cipher suites"

Generated at Thu Feb 08 05:18:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.