diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-05-03 13:56:54 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-05-03 19:46:58 -0400 |
commit | a5923c25181622e8374c6891770267c9735bc3f1 (patch) | |
tree | 7814e124dfe7ba4d0188525e4f53ee061412ba1e | |
parent | 4aeb61bd31fc934db54c88fec256b71688de4c62 (diff) | |
download | mongo-a5923c25181622e8374c6891770267c9735bc3f1.tar.gz |
SERVER-34237: Expose means for shell to disable TLS 1.0
(cherry picked from commit 547224050351961fa5b06b297277ec1ff85c89e7)
(cherry picked from commit fb710fbfcbe9f3479c8ef6bf636f89cc58bfc2be)
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 102 |
1 files changed, 78 insertions, 24 deletions
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index 2a9090d4531..ebf0bd79794 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -168,6 +168,15 @@ Status addSSLClientOptions(moe::OptionSection* options) { options->addOptionChaining( "ssl.FIPSMode", "sslFIPSMode", moe::Switch, "activate FIPS 140-2 mode at startup"); + options + ->addOptionChaining( + "ssl.disabledProtocols", + "sslDisabledProtocols", + moe::String, + "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]") + .hidden(); + + return Status::OK(); } @@ -219,6 +228,63 @@ Status canonicalizeSSLServerOptions(moe::Environment* params) { return Status::OK(); } +/** + * Older versions of mongod/mongos accepted --sslDisabledProtocols values + * in the form 'noTLS1_0,noTLS1_1'. kAcceptNegativePrefix allows us to + * continue accepting this format on mongod/mongos while only supporting + * the "standard" TLS1_X format in the shell. + */ +enum DisabledProtocolsMode { + kStandardFormat, + kAcceptNegativePrefix, +}; + +Status storeDisabledProtocols(const std::string& disabledProtocols, + DisabledProtocolsMode mode = kStandardFormat) { + if (disabledProtocols == "none") { + // Allow overriding the default behavior below of implicitly disabling TLS 1.0. + return Status::OK(); + } + + // The disabledProtocols field is composed of a comma separated list of protocols to + // disable. First, tokenize the field. + const auto tokens = StringSplitter::split(disabledProtocols, ","); + + // All universally accepted tokens, and their corresponding enum representation. + const std::map<std::string, SSLParams::Protocols> validConfigs{ + {"TLS1_0", SSLParams::Protocols::TLS1_0}, + {"TLS1_1", SSLParams::Protocols::TLS1_1}, + {"TLS1_2", SSLParams::Protocols::TLS1_2}, + }; + + // These noTLS* tokens exist for backwards compatibility. + const std::map<std::string, SSLParams::Protocols> validNoConfigs{ + {"noTLS1_0", SSLParams::Protocols::TLS1_0}, + {"noTLS1_1", SSLParams::Protocols::TLS1_1}, + {"noTLS1_2", SSLParams::Protocols::TLS1_2}, + }; + + // Map the tokens to their enum values, and push them onto the list of disabled protocols. + for (const std::string& token : tokens) { + auto mappedToken = validConfigs.find(token); + + if ((mappedToken == validConfigs.end()) && + (mode == DisabledProtocolsMode::kAcceptNegativePrefix)) { + // We allow "noTLS1_0" style on the server for backward compatibility. + mappedToken = validNoConfigs.find(token); + } + + if (mappedToken != validConfigs.end()) { + sslGlobalParams.sslDisabledProtocols.push_back(mappedToken->second); + } else { + return Status(ErrorCodes::BadValue, "Unrecognized disabledProtocols '" + token + "'"); + } + } + + return Status::OK(); +} + + Status storeSSLServerOptions(const moe::Environment& params) { if (params.count("net.ssl.mode")) { std::string sslModeParam = params["net.ssl.mode"].as<string>(); @@ -278,30 +344,10 @@ Status storeSSLServerOptions(const moe::Environment& params) { } if (params.count("net.ssl.disabledProtocols")) { - // The disabledProtocols field is composed of a comma separated list of protocols to - // disable. First, tokenize the field. - std::vector<std::string> tokens = - StringSplitter::split(params["net.ssl.disabledProtocols"].as<string>(), ","); - - // All accepted tokens, and their corresponding enum representation. The noTLS* tokens - // exist for backwards compatibility. - const std::map<std::string, SSLParams::Protocols> validConfigs{ - {"TLS1_0", SSLParams::Protocols::TLS1_0}, - {"noTLS1_0", SSLParams::Protocols::TLS1_0}, - {"TLS1_1", SSLParams::Protocols::TLS1_1}, - {"noTLS1_1", SSLParams::Protocols::TLS1_1}, - {"TLS1_2", SSLParams::Protocols::TLS1_2}, - {"noTLS1_2", SSLParams::Protocols::TLS1_2}}; - - // Map the tokens to their enum values, and push them onto the list of disabled protocols. - for (const std::string& token : tokens) { - auto mappedToken = validConfigs.find(token); - if (mappedToken != validConfigs.end()) { - sslGlobalParams.sslDisabledProtocols.push_back(mappedToken->second); - } else { - return Status(ErrorCodes::BadValue, - "Unrecognized disabledProtocols '" + token + "'"); - } + const auto status = storeDisabledProtocols(params["net.ssl.disabledProtocols"].as<string>(), + DisabledProtocolsMode::kAcceptNegativePrefix); + if (!status.isOK()) { + return status; } } @@ -396,6 +442,14 @@ Status storeSSLClientOptions(const moe::Environment& params) { if (params.count("ssl.FIPSMode")) { sslGlobalParams.sslFIPSMode = true; } + if (params.count("ssl.disabledProtocols")) { + const auto status = + storeDisabledProtocols(params["ssl.disabledProtocols"].as<std::string>()); + if (!status.isOK()) { + return status; + } + } + return Status::OK(); } |