Information
Only modern TLS protocols should be enabled in MongoDB for all client connections and upstream connections. Removing legacy TLS and SSL protocols (SSL 3.0, TLS 1.0 and 1.1), and enabling emerging and stable TLS protocols (TLS 1.2, and TLS 1.3), ensures users are able to take advantage of strong security capabilities and protects them from insecure legacy protocols.
Rationale:
Why disable TLS 1.0: TLS 1.0 was deprecated from use when PCI DSS Compliance mandated that it not be used for any applications processing credit card numbers in June 2018.
Why disable TLS 1.1: Because of the increased security associated with higher versions of TLS, TLS 1.0 should be disabled.
Solution
Make changes to configuration file, to configure your mongod or mongos instance to disable legacy protocols, shut down the instance and update the configuration file with the following setting:
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
disabledProtocols: TLS1_0,TLS1_1
Start mongod or mongos instance with the configuration file.
mongod --config /etc/mongod.conf
Default Value:
TLS1_0, TLS1_1, TLS1_2
Note: Starting in version 4.0.4 (and 3.6.9)TLS1_3 is added to the default value.
Item Details
Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|18.11
Control ID: 2a08dee4e6276e40a6069abadde68d98ca7837256aaf7da9f194610db2e9ddcd