SERVER-20401 Expose net.ssl.disabledProtocols

author: Spencer Jackson <spencer.jackson@mongodb.com> 2015-09-16 10:38:41 -0400
committer: Spencer Jackson <spencer.jackson@mongodb.com> 2015-09-16 18:04:19 -0400
commit: acba4587845dd5a42af93a63addcc05d89d227fc (patch)
tree: aa1a3c101a83ab3d886019ef7c3c9e7ea6e331c5
parent: 402212e48504ff9e5c9695bfc348a967cb5a2aaf (diff)
download: mongo-acba4587845dd5a42af93a63addcc05d89d227fc.tar.gz
1 files changed, 10 insertions, 7 deletions
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index 0759a6da5fd..8533f4260ca 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -58,8 +58,7 @@ namespace mongo {
                                    .hidden();
 
         options->addOptionChaining("net.ssl.disabledProtocols", "sslDisabledProtocols", moe::String,
-                "Comma separated list of disabled protocols")
-                                    .hidden();
+                "Comma separated list of TLS protocols to disable [TLS1_0,TLS1_1,TLS1_2]");
 
         options->addOptionChaining("net.ssl.weakCertificateValidation",
                 "sslWeakCertificateValidation", moe::Switch, "allow client to connect without "
@@ -97,11 +96,6 @@ namespace mongo {
                                   .requires("ssl")
                                   .requires("ssl.CAFile");
 
-        options->addOptionChaining("net.ssl.disabledProtocols", "sslDisabledProtocols", moe::String,
-                "Comma separated list of disabled protocols")
-                                  .requires("ssl")
-                                  .hidden();
-
         options->addOptionChaining("net.ssl.allowInvalidHostnames", "sslAllowInvalidHostnames",
                     moe::Switch, "allow connections to servers with non-matching hostnames")
                                   .requires("ssl");
@@ -189,13 +183,22 @@ namespace mongo {
         }
 
         if (params.count("net.ssl.disabledProtocols")) {
+            // The disabledProtocols field is composed of a comma separated list of protocols to
+            // disable. First, tokenize the field.
             std::vector<std::string> tokens = StringSplitter::split(
                     params["net.ssl.disabledProtocols"].as<string>(), ",");
 
+            // All accepted tokens, and their corresponding enum representation. The noTLS* tokens
+            // exist for backwards compatibility.
             std::map<std::string, SSLGlobalParams::Protocols> validConfigs;
+            validConfigs["TLS1_0"] = SSLGlobalParams::TLS1_0;
             validConfigs["noTLS1_0"] = SSLGlobalParams::TLS1_0;
+            validConfigs["TLS1_1"] = SSLGlobalParams::TLS1_1;
             validConfigs["noTLS1_1"] = SSLGlobalParams::TLS1_1;
+            validConfigs["TLS1_2"] = SSLGlobalParams::TLS1_2;
             validConfigs["noTLS1_2"] = SSLGlobalParams::TLS1_2;
+
+            // Map the tokens to their enum values, and push them onto the list of disabled protocols.
             for (std::vector<std::string>::iterator it = tokens.begin(); it != tokens.end(); ++it) {
                 std::map<std::string, SSLGlobalParams::Protocols>::iterator mappedToken =
                     validConfigs.find(*it);
author	Spencer Jackson <spencer.jackson@mongodb.com>	2015-09-16 10:38:41 -0400
committer	Spencer Jackson <spencer.jackson@mongodb.com>	2015-09-16 18:04:19 -0400
commit	acba4587845dd5a42af93a63addcc05d89d227fc (patch)
tree	aa1a3c101a83ab3d886019ef7c3c9e7ea6e331c5
parent	402212e48504ff9e5c9695bfc348a967cb5a2aaf (diff)
download	mongo-acba4587845dd5a42af93a63addcc05d89d227fc.tar.gz