[SERVER-57630] Enable SSL_OP_NO_RENEGOTIATION on Ubuntu 18.04 when running against OpenSSL 1.1.1 Created: 11/Jun/21 Updated: 29/Oct/23 Resolved: 03/Aug/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 4.4.6 |
| Fix Version/s: | 5.0.3, 4.4.9, 5.1.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Mark Benvenuto | Assignee: | Sara Golemon |
| Resolution: | Fixed | Votes: | 2 |
| Labels: | neweng | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v5.0, v4.4
|
||||||||||||||||
| Sprint: | Security 2021-07-12, Security 2021-07-26, Security 2021-08-09 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Case: | (copied to CRM) | ||||||||||||||||
| Linked BF Score: | 66 | ||||||||||||||||
| Description |
|
The SSL_OP_NO_RENEGOTIATION was first added in the OpenSSL 1.1.1 release. https://github.com/openssl/openssl/commit/db0f35dda18 It was backported to OpenSSL 1.1.0 and was shipped in 1.1.0h https://github.com/openssl/openssl/commit/6e127fdd1c7851eec4199cdec4ee0f8b748e7603 Ubuntu 18.04 comes with 1.1.0g (the version prior to SSL_OP_NO_RENEGOTIATION being added). As a result, MongoDB makes builds on Ubuntu 18.04 but uses compile-time detection to determine if SSL_OP_NO_RENEGOTIATION exists. Since it does not exist at compile time, MongoDB does not know about the flag and so we never try to disable it at runtime. MongoDB should instead on 1.1.0 OpenSSL platforms (Ubuntu 18.04, SLES 15, Debian 9) define SSL_OP_NO_RENEGOTIATION instead and perform a runtime check to see if it should be set based on the OpenSSL version. |
| Comments |
| Comment by Xian Wei Zhang [ 13/Aug/21 ] |
|
@Sara Golemon, Thanks for the info! |
| Comment by Sara Golemon [ 12/Aug/21 ] |
|
xwzhang@cn.ibm.com According to our release team, the target date for 4.4.9, which should include this, is 31 Aug 2021. |
| Comment by Xian Wei Zhang [ 12/Aug/21 ] |
|
@Sara Golemon, could you please provide any approximate or estimate date, i.e. Can we expect 4.4.9 to be shipped by end of Q3 or early Q4? We need also provide an estimate date to our security team accordingly. Thanks! |
| Comment by Githook User [ 11/Aug/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 2d974e867061b13526750f1ff66a9fb577a96354) |
| Comment by Githook User [ 11/Aug/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: (cherry picked from commit 2d974e867061b13526750f1ff66a9fb577a96354) |
| Comment by Sara Golemon [ 11/Aug/21 ] |
|
hqzhou@cn.ibm.com There's backport scheduled to put this on the 4.4 branch, and I'll be completing it this week, but I don't have the exact date on when the next release with this change will go out. |
| Comment by Hong Qing Zhou [ 09/Aug/21 ] |
|
@Sara Golemon Will this fix be in 4.4.9 or any 4.4.X release? If yes, do you have the concrete target release 4.4.X and release date? |
| Comment by Githook User [ 02/Aug/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |
| Comment by Githook User [ 05/Jul/21 ] |
|
Author: {'name': 'Uladzimir Makouski', 'email': 'uladzimir.makouski@mongodb.com', 'username': 'umakouski'}Message: Revert " This reverts commit 110a58f2ece4fd1efaa93ccf552883fef047a00b. |
| Comment by Githook User [ 02/Jul/21 ] |
|
Author: {'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}Message: |