[SERVER-57630] Enable SSL_OP_NO_RENEGOTIATION on Ubuntu 18.04 when running against OpenSSL 1.1.1 Created: 11/Jun/21  Updated: 29/Oct/23  Resolved: 03/Aug/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: 4.4.6
Fix Version/s: 5.0.3, 4.4.9, 5.1.0-rc0

Type: Bug Priority: Major - P3
Reporter: Mark Benvenuto Assignee: Sara Golemon
Resolution: Fixed Votes: 2
Labels: neweng
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Problem/Incident
Related
Backwards Compatibility: Minor Change
Operating System: ALL
Backport Requested:
v5.0, v4.4
Sprint: Security 2021-07-12, Security 2021-07-26, Security 2021-08-09
Participants:
Case:
Linked BF Score: 66

 Description   

The SSL_OP_NO_RENEGOTIATION was first added in the OpenSSL 1.1.1 release.

https://github.com/openssl/openssl/commit/db0f35dda18

It was backported to OpenSSL 1.1.0 and was shipped in 1.1.0h

https://github.com/openssl/openssl/commit/6e127fdd1c7851eec4199cdec4ee0f8b748e7603

Ubuntu 18.04 comes with 1.1.0g (the version prior to SSL_OP_NO_RENEGOTIATION being added). As a result, MongoDB makes builds on Ubuntu 18.04 but uses compile-time detection to determine if SSL_OP_NO_RENEGOTIATION exists. Since it does not exist at compile time, MongoDB does not know about the flag and so we never try to disable it at runtime.

MongoDB should instead on 1.1.0 OpenSSL platforms (Ubuntu 18.04, SLES 15, Debian 9) define SSL_OP_NO_RENEGOTIATION instead and perform a runtime check to see if it should be set based on the OpenSSL version.



 Comments   
Comment by Xian Wei Zhang [ 13/Aug/21 ]

@Sara Golemon, Thanks for the info!

Comment by Sara Golemon [ 12/Aug/21 ]

xwzhang@cn.ibm.com According to our release team, the target date for 4.4.9, which should include this, is 31 Aug 2021.

Comment by Xian Wei Zhang [ 12/Aug/21 ]

@Sara Golemon,  could you please provide any approximate or estimate date, i.e. Can we expect 4.4.9 to be shipped by end of Q3 or early Q4?  We need also provide an estimate date to our security team accordingly. Thanks!

Comment by Githook User [ 11/Aug/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at runtime

(cherry picked from commit 2d974e867061b13526750f1ff66a9fb577a96354)
Branch: v4.4
https://github.com/mongodb/mongo/commit/d5d9bd45185b4ea2a4d7600512559326880290c9

Comment by Githook User [ 11/Aug/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at runtime

(cherry picked from commit 2d974e867061b13526750f1ff66a9fb577a96354)
Branch: v5.0
https://github.com/mongodb/mongo/commit/1f4bc09636349699994d171b6fe66b924898d1cc

Comment by Sara Golemon [ 11/Aug/21 ]

hqzhou@cn.ibm.com There's backport scheduled to put this on the 4.4 branch, and I'll be completing it this week, but I don't have the exact date on when the next release with this change will go out.

Comment by Hong Qing Zhou [ 09/Aug/21 ]

@Sara Golemon

Will this fix be in 4.4.9 or any 4.4.X release? If yes, do you have the concrete target release 4.4.X and release date?

Comment by Githook User [ 02/Aug/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at runtime
Branch: master
https://github.com/mongodb/mongo/commit/2d974e867061b13526750f1ff66a9fb577a96354

Comment by Githook User [ 05/Jul/21 ]

Author:

{'name': 'Uladzimir Makouski', 'email': 'uladzimir.makouski@mongodb.com', 'username': 'umakouski'}

Message: Revert "SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at runtime"

This reverts commit 110a58f2ece4fd1efaa93ccf552883fef047a00b.
Branch: master
https://github.com/mongodb/mongo/commit/72df6f6c32cdc8820a2ffe1a204fdd3e135b4ffe

Comment by Githook User [ 02/Jul/21 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-57630 Support SSL_OP_NO_REGNEGOTIATION if it's available at runtime
Branch: master
https://github.com/mongodb/mongo/commit/110a58f2ece4fd1efaa93ccf552883fef047a00b

Generated at Thu Feb 08 05:42:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.