SERVER-17591: Allow TLS protocols to be disabled

author: Spencer Jackson <spencer.jackson@mongodb.com> 2015-04-13 17:36:00 -0400
committer: Spencer Jackson <spencer.jackson@mongodb.com> 2015-04-17 17:30:34 -0400
commit: 6e9d0671458f6b4b1d12bb5285c05a18d4e80464 (patch)
tree: ea412b06e4327af24e0e395cedb532b39b721a9b /src/mongo/util/net
parent: db11c954517008c033c39e18dddbcfcd91f4263f (diff)
download: mongo-6e9d0671458f6b4b1d12bb5285c05a18d4e80464.tar.gz
3 files changed, 68 insertions, 2 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 4a64d85972c..3e4bbe62142 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -70,6 +70,18 @@ namespace mongo {
         return "";
     }
 #else
+
+// Old copies of OpenSSL will not have constants to disable protocols they don't support.
+// Define them to values we can OR together safely to generically disable these protocols across
+// all versions of OpenSSL.
+#ifndef SSL_OP_NO_TLSv1_1
+#define SSL_OP_NO_TLSv1_1 0
+#endif
+#ifndef SSL_OP_NO_TLSv1_2
+#define SSL_OP_NO_TLSv1_2 0
+#endif
+
+
     const std::string getSSLVersion(const std::string &prefix, const std::string &suffix) {
         return prefix + SSLeay_version(SSLEAY_VERSION) + suffix;
     }
@@ -540,7 +552,21 @@ namespace mongo {
         // SSL_OP_ALL - Activate all bug workaround options, to support buggy client SSL's.
         // SSL_OP_NO_SSLv2 - Disable SSL v2 support
         // SSL_OP_NO_SSLv3 - Disable SSL v3 support
-        SSL_CTX_set_options(*context, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
+        long supportedProtocols = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3;
+
+        // Set the supported TLS protocols. Allow --sslDisabledProtocols to disable selected ciphers.
+        if (!params.sslDisabledProtocols.empty()) {
+            for (const SSLParams::Protocols& protocol : params.sslDisabledProtocols) {
+                if (protocol == SSLParams::Protocols::TLS1_0) {
+                    supportedProtocols |= SSL_OP_NO_TLSv1;
+                } else if (protocol == SSLParams::Protocols::TLS1_1) {
+                    supportedProtocols |= SSL_OP_NO_TLSv1_1;
+                } else if (protocol == SSLParams::Protocols::TLS1_2) {
+                    supportedProtocols |= SSL_OP_NO_TLSv1_2;
+                }
+            }
+        }
+        SSL_CTX_set_options(*context, supportedProtocols);
 
         // HIGH - Enable strong ciphers
         // !EXPORT - Disable export ciphers (40/56 bit) 
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index 8369a1948b6..a8cf9646bef 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -36,6 +36,7 @@
 #include "mongo/base/status.h"
 #include "mongo/db/server_options.h"
 #include "mongo/util/log.h"
+#include "mongo/util/text.h"
 #include "mongo/util/options_parser/startup_options.h"
 
 namespace mongo {
@@ -75,6 +76,10 @@ namespace mongo {
                 "OpenSSL cipher configuration string")
                                    .hidden();
 
+        options->addOptionChaining("net.ssl.disabledProtocols", "sslDisabledProtocols", moe::String,
+                "Comma separated list of disabled protocols")
+                                    .hidden();
+
         options->addOptionChaining("net.ssl.weakCertificateValidation",
                 "sslWeakCertificateValidation", moe::Switch, "allow client to connect without "
                 "presenting a certificate");
@@ -116,6 +121,11 @@ namespace mongo {
                                   .requires("ssl")
                                   .requires("ssl.CAFile");
 
+        options->addOptionChaining("net.ssl.disabledProtocols", "sslDisabledProtocols", moe::String,
+                "Comma separated list of disabled protocols")
+                                  .requires("ssl")
+                                  .hidden();
+
         options->addOptionChaining("net.ssl.allowInvalidHostnames", "sslAllowInvalidHostnames",
                     moe::Switch, "allow connections to servers with non-matching hostnames")
                                   .requires("ssl");
@@ -237,6 +247,26 @@ namespace mongo {
             sslGlobalParams.sslCipherConfig = params["net.ssl.sslCipherConfig"].as<string>();
         }
 
+        if (params.count("net.ssl.disabledProtocols")) {
+            std::vector<std::string> tokens = StringSplitter::split(
+                    params["net.ssl.disabledProtocols"].as<string>(), ",");
+
+            const std::map<std::string, SSLParams::Protocols> validConfigs {
+                {"noTLS1_0", SSLParams::Protocols::TLS1_0},
+                {"noTLS1_1", SSLParams::Protocols::TLS1_1},
+                {"noTLS1_2", SSLParams::Protocols::TLS1_2}
+            };
+            for (const std::string& token : tokens) {
+                auto mappedToken = validConfigs.find(token);
+                if (mappedToken != validConfigs.end()) {
+                    sslGlobalParams.sslDisabledProtocols.push_back(mappedToken->second);
+                } else {
+                    return Status(ErrorCodes::BadValue,
+                                  "Unrecognized disabledProtocols '" + token +"'");
+                }
+            }
+        }
+
         if (params.count("net.ssl.weakCertificateValidation")) {
             sslGlobalParams.sslWeakCertificateValidation =
                 params["net.ssl.weakCertificateValidation"].as<bool>();
@@ -290,6 +320,7 @@ namespace mongo {
                  sslGlobalParams.sslCAFile.size() ||
                  sslGlobalParams.sslCRLFile.size() ||
                  sslGlobalParams.sslCipherConfig.size() ||
+                 sslGlobalParams.sslDisabledProtocols.size() ||
                  sslGlobalParams.sslWeakCertificateValidation ||
                  sslGlobalParams.sslFIPSMode) {
             return Status(ErrorCodes::BadValue,
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index d2f2a79bc9a..d348e004b4e 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -27,9 +27,12 @@
 
 #pragma once
 
-#include "mongo/base/status.h"
 #include "mongo/util/net/ssl_manager.h"
 
+#include <vector>
+
+#include "mongo/base/status.h"
+
 namespace mongo {
 
     namespace optionenvironment {
@@ -40,6 +43,11 @@ namespace mongo {
     namespace moe = mongo::optionenvironment;
 
     struct SSLParams {
+        enum class Protocols {
+            TLS1_0,
+            TLS1_1,
+            TLS1_2
+        };
         AtomicInt32 sslMode;        // --sslMode - the SSL operation mode, see enum SSLModes
         bool sslOnNormalPorts;      // --sslOnNormalPorts (deprecated)
         std::string sslPEMKeyFile;       // --sslPEMKeyFile
@@ -49,6 +57,7 @@ namespace mongo {
         std::string sslCAFile;      // --sslCAFile
         std::string sslCRLFile;     // --sslCRLFile
         std::string sslCipherConfig; // --sslCipherConfig
+        std::vector<Protocols> sslDisabledProtocols; // --sslDisabledProtocols
         bool sslWeakCertificateValidation; // --sslWeakCertificateValidation
         bool sslFIPSMode; // --sslFIPSMode
         bool sslAllowInvalidCertificates; // --sslAllowInvalidCertificates
author	Spencer Jackson <spencer.jackson@mongodb.com>	2015-04-13 17:36:00 -0400
committer	Spencer Jackson <spencer.jackson@mongodb.com>	2015-04-17 17:30:34 -0400
commit	6e9d0671458f6b4b1d12bb5285c05a18d4e80464 (patch)
tree	ea412b06e4327af24e0e395cedb532b39b721a9b /src/mongo/util/net
parent	db11c954517008c033c39e18dddbcfcd91f4263f (diff)
download	mongo-6e9d0671458f6b4b1d12bb5285c05a18d4e80464.tar.gz