diff options
author | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-10-03 23:17:42 -0400 |
---|---|---|
committer | Spencer Jackson <spencer.jackson@mongodb.com> | 2018-10-31 11:10:15 -0400 |
commit | 8c1de7e08de30a38f3d878118248735e6e2ea72a (patch) | |
tree | 8280b05cb4eec4f59ca01f9936476235409d9eae /src | |
parent | 573f92bd3567a70f2b6bdc8295a9d230dec1cf04 (diff) | |
download | mongo-8c1de7e08de30a38f3d878118248735e6e2ea72a.tar.gz |
SERVER-37135: Track and report TLS 1.3
(cherry picked from commit cbb76539c47068f8836ed05283763e687cf126a7)
Diffstat (limited to 'src')
-rw-r--r-- | src/mongo/util/net/ssl_manager.cpp | 16 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager.h | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_manager_status.cpp | 2 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.cpp | 3 | ||||
-rw-r--r-- | src/mongo/util/net/ssl_options.h | 4 |
5 files changed, 25 insertions, 3 deletions
diff --git a/src/mongo/util/net/ssl_manager.cpp b/src/mongo/util/net/ssl_manager.cpp index 2a4c5a32f44..35353a81228 100644 --- a/src/mongo/util/net/ssl_manager.cpp +++ b/src/mongo/util/net/ssl_manager.cpp @@ -229,6 +229,9 @@ UniqueBIO makeUniqueMemBio(std::vector<std::uint8_t>& v) { #ifndef SSL_OP_NO_TLSv1_2 #define SSL_OP_NO_TLSv1_2 0 #endif +#ifndef SSL_OP_NO_TLSv1_3 +#define SSL_OP_NO_TLSv1_3 0 +#endif // clang-format off #ifndef MONGO_CONFIG_HAVE_ASN1_ANY_DEFINITIONS @@ -944,6 +947,8 @@ Status SSLManager::initSSLContext(SSL_CTX* context, supportedProtocols |= SSL_OP_NO_TLSv1_1; } else if (protocol == SSLParams::Protocols::TLS1_2) { supportedProtocols |= SSL_OP_NO_TLSv1_2; + } else if (protocol == SSLParams::Protocols::TLS1_3) { + supportedProtocols |= SSL_OP_NO_TLSv1_3; } } ::SSL_CTX_set_options(context, supportedProtocols); @@ -1680,9 +1685,18 @@ void recordTLSVersion(TLSVersion version, const HostAndPort& hostForLogging) { versionString = "1.2"_sd; } break; + case TLSVersion::kTLS13: + counts.tls13.addAndFetch(1); + if (std::find(sslGlobalParams.tlsLogVersions.cbegin(), + sslGlobalParams.tlsLogVersions.cend(), + SSLParams::Protocols::TLS1_3) != sslGlobalParams.tlsLogVersions.cend()) { + versionString = "1.3"_sd; + } + break; default: + counts.tlsUnknown.addAndFetch(1); if (!sslGlobalParams.tlsLogVersions.empty()) { - versionString = "unkown"_sd; + versionString = "unknown"_sd; } break; } diff --git a/src/mongo/util/net/ssl_manager.h b/src/mongo/util/net/ssl_manager.h index 68827d322de..b0039826240 100644 --- a/src/mongo/util/net/ssl_manager.h +++ b/src/mongo/util/net/ssl_manager.h @@ -108,9 +108,11 @@ const ASN1OID mongodbRolesOID("1.3.6.1.4.1.34601.2.1.1", * Counts of negogtiated version used by TLS connections. */ struct TLSVersionCounts { + AtomicInt64 tlsUnknown; AtomicInt64 tls10; AtomicInt64 tls11; AtomicInt64 tls12; + AtomicInt64 tls13; static TLSVersionCounts& get(); }; @@ -232,6 +234,7 @@ enum class TLSVersion { kTLS10, kTLS11, kTLS12, + kTLS13, }; /** diff --git a/src/mongo/util/net/ssl_manager_status.cpp b/src/mongo/util/net/ssl_manager_status.cpp index e6be8d30c6a..b516290efdc 100644 --- a/src/mongo/util/net/ssl_manager_status.cpp +++ b/src/mongo/util/net/ssl_manager_status.cpp @@ -62,6 +62,8 @@ public: builder.append("1.0", counts.tls10.load()); builder.append("1.1", counts.tls11.load()); builder.append("1.2", counts.tls12.load()); + builder.append("1.3", counts.tls13.load()); + builder.append("unknown", counts.tlsUnknown.load()); return builder.obj(); } } tlsVersionStatus; diff --git a/src/mongo/util/net/ssl_options.cpp b/src/mongo/util/net/ssl_options.cpp index 147bf971998..39d52dbbf30 100644 --- a/src/mongo/util/net/ssl_options.cpp +++ b/src/mongo/util/net/ssl_options.cpp @@ -153,6 +153,7 @@ Status storeTLSLogVersion(const std::string& loggedProtocols) { {"TLS1_0", SSLParams::Protocols::TLS1_0}, {"TLS1_1", SSLParams::Protocols::TLS1_1}, {"TLS1_2", SSLParams::Protocols::TLS1_2}, + {"TLS1_3", SSLParams::Protocols::TLS1_3}, }; // Map the tokens to their enum values, and push them onto the list of logged protocols. @@ -300,6 +301,7 @@ Status storeDisabledProtocols(const std::string& disabledProtocols, {"TLS1_0", SSLParams::Protocols::TLS1_0}, {"TLS1_1", SSLParams::Protocols::TLS1_1}, {"TLS1_2", SSLParams::Protocols::TLS1_2}, + {"TLS1_3", SSLParams::Protocols::TLS1_3}, }; // These noTLS* tokens exist for backwards compatibility. @@ -307,6 +309,7 @@ Status storeDisabledProtocols(const std::string& disabledProtocols, {"noTLS1_0", SSLParams::Protocols::TLS1_0}, {"noTLS1_1", SSLParams::Protocols::TLS1_1}, {"noTLS1_2", SSLParams::Protocols::TLS1_2}, + {"noTLS1_3", SSLParams::Protocols::TLS1_3}, }; // Map the tokens to their enum values, and push them onto the list of disabled protocols. diff --git a/src/mongo/util/net/ssl_options.h b/src/mongo/util/net/ssl_options.h index b6816bf27ed..5684e37636e 100644 --- a/src/mongo/util/net/ssl_options.h +++ b/src/mongo/util/net/ssl_options.h @@ -44,8 +44,8 @@ class Environment; } // namespace optionenvironment struct SSLParams { - enum class Protocols { TLS1_0, TLS1_1, TLS1_2 }; - AtomicInt32 sslMode; // --sslMode - the SSL operation mode, see enum SSLModes + enum class Protocols { TLS1_0, TLS1_1, TLS1_2, TLS1_3 }; + AtomicInt32 sslMode; // --sslMode - the TLS operation mode, see enum SSLModes std::string sslPEMTempDHParam; // --setParameter OpenSSLDiffieHellmanParameters=file : PEM file // with DH parameters. std::string sslPEMKeyFile; // --sslPEMKeyFile |