SERVER-34237: Expose means for shell to disable TLS 1.0

(cherry picked from commit 547224050351961fa5b06b297277ec1ff85c89e7)
(cherry picked from commit fb710fbfcbe9f3479c8ef6bf636f89cc58bfc2be)

1 files changed, 78 insertions, 24 deletions

diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index 2a9090d4531..ebf0bd79794 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -168,6 +168,15 @@ Status addSSLClientOptions(moe::OptionSection* options) {
     options->addOptionChaining(
         "ssl.FIPSMode", "sslFIPSMode", moe::Switch, "activate FIPS 140-2 mode at startup");
 
+    options
+        ->addOptionChaining(
+            "ssl.disabledProtocols",
+            "sslDisabledProtocols",
+            moe::String,
+            "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]")
+        .hidden();
+
+
     return Status::OK();
 }
 
@@ -219,6 +228,63 @@ Status canonicalizeSSLServerOptions(moe::Environment* params) {
     return Status::OK();
 }
 
+/**
+ * Older versions of mongod/mongos accepted --sslDisabledProtocols values
+ * in the form 'noTLS1_0,noTLS1_1'.  kAcceptNegativePrefix allows us to
+ * continue accepting this format on mongod/mongos while only supporting
+ * the "standard" TLS1_X format in the shell.
+ */
+enum DisabledProtocolsMode {
+    kStandardFormat,
+    kAcceptNegativePrefix,
+};
+
+Status storeDisabledProtocols(const std::string& disabledProtocols,
+                              DisabledProtocolsMode mode = kStandardFormat) {
+    if (disabledProtocols == "none") {
+        // Allow overriding the default behavior below of implicitly disabling TLS 1.0.
+        return Status::OK();
+    }
+
+    // The disabledProtocols field is composed of a comma separated list of protocols to
+    // disable. First, tokenize the field.
+    const auto tokens = StringSplitter::split(disabledProtocols, ",");
+
+    // All universally accepted tokens, and their corresponding enum representation.
+    const std::map<std::string, SSLParams::Protocols> validConfigs{
+        {"TLS1_0", SSLParams::Protocols::TLS1_0},
+        {"TLS1_1", SSLParams::Protocols::TLS1_1},
+        {"TLS1_2", SSLParams::Protocols::TLS1_2},
+    };
+
+    // These noTLS* tokens exist for backwards compatibility.
+    const std::map<std::string, SSLParams::Protocols> validNoConfigs{
+        {"noTLS1_0", SSLParams::Protocols::TLS1_0},
+        {"noTLS1_1", SSLParams::Protocols::TLS1_1},
+        {"noTLS1_2", SSLParams::Protocols::TLS1_2},
+    };
+
+    // Map the tokens to their enum values, and push them onto the list of disabled protocols.
+    for (const std::string& token : tokens) {
+        auto mappedToken = validConfigs.find(token);
+
+        if ((mappedToken == validConfigs.end()) &&
+            (mode == DisabledProtocolsMode::kAcceptNegativePrefix)) {
+            // We allow "noTLS1_0" style on the server for backward compatibility.
+            mappedToken = validNoConfigs.find(token);
+        }
+
+        if (mappedToken != validConfigs.end()) {
+            sslGlobalParams.sslDisabledProtocols.push_back(mappedToken->second);
+        } else {
+            return Status(ErrorCodes::BadValue, "Unrecognized disabledProtocols '" + token + "'");
+        }
+    }
+
+    return Status::OK();
+}
+
+
 Status storeSSLServerOptions(const moe::Environment& params) {
     if (params.count("net.ssl.mode")) {
         std::string sslModeParam = params["net.ssl.mode"].as<string>();
@@ -278,30 +344,10 @@ Status storeSSLServerOptions(const moe::Environment& params) {
     }
 
     if (params.count("net.ssl.disabledProtocols")) {
-        // The disabledProtocols field is composed of a comma separated list of protocols to
-        // disable. First, tokenize the field.
-        std::vector<std::string> tokens =
-            StringSplitter::split(params["net.ssl.disabledProtocols"].as<string>(), ",");
-
-        // All accepted tokens, and their corresponding enum representation. The noTLS* tokens
-        // exist for backwards compatibility.
-        const std::map<std::string, SSLParams::Protocols> validConfigs{
-            {"TLS1_0", SSLParams::Protocols::TLS1_0},
-            {"noTLS1_0", SSLParams::Protocols::TLS1_0},
-            {"TLS1_1", SSLParams::Protocols::TLS1_1},
-            {"noTLS1_1", SSLParams::Protocols::TLS1_1},
-            {"TLS1_2", SSLParams::Protocols::TLS1_2},
-            {"noTLS1_2", SSLParams::Protocols::TLS1_2}};
-
-        // Map the tokens to their enum values, and push them onto the list of disabled protocols.
-        for (const std::string& token : tokens) {
-            auto mappedToken = validConfigs.find(token);
-            if (mappedToken != validConfigs.end()) {
-                sslGlobalParams.sslDisabledProtocols.push_back(mappedToken->second);
-            } else {
-                return Status(ErrorCodes::BadValue,
-                              "Unrecognized disabledProtocols '" + token + "'");
-            }
+        const auto status = storeDisabledProtocols(params["net.ssl.disabledProtocols"].as<string>(),
+                                                   DisabledProtocolsMode::kAcceptNegativePrefix);
+        if (!status.isOK()) {
+            return status;
         }
     }
 
@@ -396,6 +442,14 @@ Status storeSSLClientOptions(const moe::Environment& params) {
     if (params.count("ssl.FIPSMode")) {
         sslGlobalParams.sslFIPSMode = true;
     }
+    if (params.count("ssl.disabledProtocols")) {
+        const auto status =
+            storeDisabledProtocols(params["ssl.disabledProtocols"].as<std::string>());
+        if (!status.isOK()) {
+            return status;
+        }
+    }
+
     return Status::OK();
 }