diff options
| author | Sara Golemon <sara.golemon@mongodb.com> | 2018-12-04 19:39:26 +0000 |
|---|---|---|
| committer | Sara Golemon <sara.golemon@mongodb.com> | 2018-12-08 00:44:30 +0000 |
| commit | ccc1c21f445de1e9076011f3e7370d30bec8c552 (patch) | |
| tree | 636e5096b38357755e10884fbd963e363c1616b0 | |
| parent | bafe0fffc3898aca862171ddf909aff94193a2fe (diff) | |
| download | mongo-ccc1c21f445de1e9076011f3e7370d30bec8c552.tar.gz | |
SERVER-38281 Defer TLS-1.0 auto disable warning till log startup
(cherry picked from commit dfa007f46708ade8f66ae64bbcb9fd5744f96602)
| -rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index f4b17b79943..29e2b7c510e 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -36,6 +36,7 @@ #include <boost/filesystem/operations.hpp> +#include "mongo/base/init.h" #include "mongo/base/status.h" #include "mongo/config.h" #include "mongo/db/server_options.h" @@ -428,6 +429,10 @@ Status canonicalizeSSLServerOptions(moe::Environment* params) { return Status::OK(); } +namespace { +bool gImplicitDisableTLS10 = false; +} // namespace + Status storeSSLServerOptions(const moe::Environment& params) { if (params.count("net.ssl.mode")) { std::string sslModeParam = params["net.ssl.mode"].as<string>(); @@ -506,8 +511,7 @@ Status storeSSLServerOptions(const moe::Environment& params) { * old version of OpenSSL (pre 1.0.0l) * which does not support TLS 1.1 or later. */ - log() << "Automatically disabling TLS 1.0, to force-enable TLS 1.0 " - "specify --sslDisabledProtocols 'none'"; + gImplicitDisableTLS10 = true; sslGlobalParams.sslDisabledProtocols.push_back(SSLParams::Protocols::TLS1_0); #endif } @@ -675,4 +679,21 @@ Status storeSSLClientOptions(const moe::Environment& params) { return Status::OK(); } +namespace { +// This warning must be deferred until after +// ServerLogRedirection has started up so that +// it goes to the right place. +// ServerLogRedirection won't be present in unittests though, +// so for 4.0 we'll use "default". +// In 4.2, we can shim a stub for the two tests which care. +MONGO_INITIALIZER_WITH_PREREQUISITES(ImplicitDisableTLS10Warning, ("default")) +(InitializerContext*) { + if (gImplicitDisableTLS10) { + log() << "Automatically disabling TLS 1.0, to force-enable TLS 1.0 " + "specify --sslDisabledProtocols 'none'"; + } + return Status::OK(); +} +} // namespace + } // namespace mongo |