This ticket changes server behaviour by exposing a new configuration parameter which prevents a MongoDB server running with SSL from accepting incoming connections using a particular protocol. For example, this might be useful when running the server in an environment where security policy forbids use of older versions of TLS.
On the command line, it can be set with "--sslDisabledProtocols", and in a configuration file it may be set with "net.ssl.disabledProtocols". Either form accepts a string containing a comma separated list of protocols to disable. The recognized protocols are currently "TLS1_0", "TLS1_1", and "TLS1_2". An unrecognised protocol will prevent the server from starting. Be aware that cluster members must speak at least one protocol in common.
Example 1: Disable TLS1_0 from the command line
./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0
Example 2: Disable TLS1_0 and TLS1_1 from the command line
./mongod --sslMode requireSSL --sslPEMKeyFile server.pem --sslCAFile ca.pem --sslDisabledProtocols TLS1_0,TLS1_1
Example 3: Disable TLS1_0 and TLS1_1 using a YAML configuration file
Start mongod using a configuration file which looks as follows:
net: ssl: mode: "requireSSL" PEMKeyFile: "jstests/libs/server.pem" CAFile: "jstests/libs/ca.pem" disabledProtocols: "TLS1_0,TLS1_1"
- is related to
-
SERVER-17591 Add SSL flag to select supported protocols
- Closed