SERVER-37135: Track and report TLS 1.3

7 files changed, 27 insertions, 2 deletions

diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp
index 6a4a39c8d2a..da14e6eeac2 100644
--- a/src/mongo/util/net/ssl_manager.cpp
+++ b/src/mongo/util/net/ssl_manager.cpp
@@ -761,6 +761,8 @@ public:
         builder.append("1.0", counts.tls10.load());
         builder.append("1.1", counts.tls11.load());
         builder.append("1.2", counts.tls12.load());
+        builder.append("1.3", counts.tls13.load());
+        builder.append("unknown", counts.tlsUnknown.load());
         return builder.obj();
     }
 } tlsVersionStatus;
@@ -793,9 +795,18 @@ void recordTLSVersion(TLSVersion version, const HostAndPort& hostForLogging) {
                 versionString = "1.2"_sd;
             }
             break;
+        case TLSVersion::kTLS13:
+            counts.tls13.addAndFetch(1);
+            if (std::find(sslGlobalParams.tlsLogVersions.cbegin(),
+                          sslGlobalParams.tlsLogVersions.cend(),
+                          SSLParams::Protocols::TLS1_3) != sslGlobalParams.tlsLogVersions.cend()) {
+                versionString = "1.3"_sd;
+            }
+            break;
         default:
+            counts.tlsUnknown.addAndFetch(1);
             if (!sslGlobalParams.tlsLogVersions.empty()) {
-                versionString = "unkown"_sd;
+                versionString = "unknown"_sd;
             }
             break;
     }
diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h
index cee1abeb515..d3138e5f133 100644
--- a/src/mongo/util/net/ssl_manager.h
+++ b/src/mongo/util/net/ssl_manager.h
@@ -120,9 +120,11 @@ const ASN1OID mongodbRolesOID("1.3.6.1.4.1.34601.2.1.1",
  * Counts of negogtiated version used by TLS connections.
  */
 struct TLSVersionCounts {
+    AtomicInt64 tlsUnknown;
     AtomicInt64 tls10;
     AtomicInt64 tls11;
     AtomicInt64 tls12;
+    AtomicInt64 tls13;
 
     static TLSVersionCounts& get(ServiceContext* serviceContext);
 };
@@ -243,6 +245,7 @@ enum class TLSVersion {
     kTLS10,
     kTLS11,
     kTLS12,
+    kTLS13,
 };
 
 /**
diff --git a/src/mongo/util/net/ssl_manager_apple.cpp b/src/mongo/util/net/ssl_manager_apple.cpp
index 17368de7260..0e9b40bf88b 100644
--- a/src/mongo/util/net/ssl_manager_apple.cpp
+++ b/src/mongo/util/net/ssl_manager_apple.cpp
@@ -1198,6 +1198,9 @@ StatusWith<std::pair<::SSLProtocol, ::SSLProtocol>> parseProtocolRange(const SSL
             tls11 = false;
         } else if (protocol == SSLParams::Protocols::TLS1_2) {
             tls12 = false;
+        } else if (protocol == SSLParams::Protocols::TLS1_3) {
+            // By ignoring this value, we are disabling support until we have access to the
+            // modern library.
         } else {
             return {ErrorCodes::InvalidSSLConfiguration, "Unknown disabled TLS protocol version"};
         }
diff --git a/src/mongo/util/net/ssl_manager_openssl.cpp b/src/mongo/util/net/ssl_manager_openssl.cpp
index 42300343f47..7fb5a59b118 100644
--- a/src/mongo/util/net/ssl_manager_openssl.cpp
+++ b/src/mongo/util/net/ssl_manager_openssl.cpp
@@ -149,6 +149,9 @@ UniqueBIO makeUniqueMemBio(std::vector<std::uint8_t>& v) {
 #ifndef SSL_OP_NO_TLSv1_2
 #define SSL_OP_NO_TLSv1_2 0
 #endif
+#ifndef SSL_OP_NO_TLSv1_3
+#define SSL_OP_NO_TLSv1_3 0
+#endif
 
 // clang-format off
 #ifndef MONGO_CONFIG_HAVE_ASN1_ANY_DEFINITIONS
@@ -720,6 +723,8 @@ Status SSLManagerOpenSSL::initSSLContext(SSL_CTX* context,
             supportedProtocols |= SSL_OP_NO_TLSv1_1;
         } else if (protocol == SSLParams::Protocols::TLS1_2) {
             supportedProtocols |= SSL_OP_NO_TLSv1_2;
+        } else if (protocol == SSLParams::Protocols::TLS1_3) {
+            supportedProtocols |= SSL_OP_NO_TLSv1_3;
         }
     }
     ::SSL_CTX_set_options(context, supportedProtocols);
diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp
index 22c2744bf79..31752ce6dfe 100644
--- a/src/mongo/util/net/ssl_options.cpp
+++ b/src/mongo/util/net/ssl_options.cpp
@@ -88,6 +88,7 @@ Status storeSSLDisabledProtocols(const std::string& disabledProtocols,
         {"TLS1_0", SSLParams::Protocols::TLS1_0},
         {"TLS1_1", SSLParams::Protocols::TLS1_1},
         {"TLS1_2", SSLParams::Protocols::TLS1_2},
+        {"TLS1_3", SSLParams::Protocols::TLS1_3},
     };
 
     // These noTLS* tokens exist for backwards compatibility.
@@ -95,6 +96,7 @@ Status storeSSLDisabledProtocols(const std::string& disabledProtocols,
         {"noTLS1_0", SSLParams::Protocols::TLS1_0},
         {"noTLS1_1", SSLParams::Protocols::TLS1_1},
         {"noTLS1_2", SSLParams::Protocols::TLS1_2},
+        {"noTLS1_3", SSLParams::Protocols::TLS1_3},
     };
 
     // Map the tokens to their enum values, and push them onto the list of disabled protocols.
diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h
index 64a34654d1a..a9261286fac 100644
--- a/src/mongo/util/net/ssl_options.h
+++ b/src/mongo/util/net/ssl_options.h
@@ -46,7 +46,7 @@ class Environment;
 }  // namespace optionenvironment
 
 struct SSLParams {
-    enum class Protocols { TLS1_0, TLS1_1, TLS1_2 };
+    enum class Protocols { TLS1_0, TLS1_1, TLS1_2, TLS1_3 };
     AtomicInt32 sslMode;            // --tlsMode - the TLS operation mode, see enum SSLModes
     std::string sslPEMTempDHParam;  // --setParameter OpenSSLDiffieHellmanParameters=file : PEM file
                                     // with DH parameters.
diff --git a/src/mongo/util/net/ssl_options_server.cpp b/src/mongo/util/net/ssl_options_server.cpp
index 2cc64b4926e..e1308b217a9 100644
--- a/src/mongo/util/net/ssl_options_server.cpp
+++ b/src/mongo/util/net/ssl_options_server.cpp
@@ -226,6 +226,7 @@ Status storeTLSLogVersion(const std::string& loggedProtocols) {
         {"TLS1_0", SSLParams::Protocols::TLS1_0},
         {"TLS1_1", SSLParams::Protocols::TLS1_1},
         {"TLS1_2", SSLParams::Protocols::TLS1_2},
+        {"TLS1_3", SSLParams::Protocols::TLS1_3},
     };
 
     // Map the tokens to their enum values, and push them onto the list of logged protocols.