4.1 Ensure legacy TLS protocols are disabled

Information

Only modern TLS protocols should be enabled in MongoDB for all client connections and upstream connections. Removing legacy TLS and SSL protocols (SSL 3.0, TLS 1.0 and 1.1), and enabling emerging and stable TLS protocols (TLS 1.2, and TLS 1.3), ensures users are able to take advantage of strong security capabilities and protects them from insecure legacy protocols.

Rationale:

Why disable TLS 1.0: TLS 1.0 was deprecated from use when PCI DSS Compliance mandated that it not be used for any applications processing credit card numbers in June 2018.

Why disable TLS 1.1: Because of the increased security associated with higher versions of TLS, TLS 1.0 should be disabled.

Solution

Make changes to configuration file, to configure your mongod or mongos instance to disable legacy protocols, shut down the instance and update the configuration file with the following setting:

net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb.pem
CAFile: /etc/ssl/caToValidateClientCertificates.pem
disabledProtocols: TLS1_0,TLS1_1

Start mongod or mongos instance with the configuration file.

mongod --config /etc/mongod.conf

Default Value:

TLS1_0, TLS1_1, TLS1_2

Note: Starting in version 4.0.4 (and 3.6.9)TLS1_3 is added to the default value.

See Also

https://workbench.cisecurity.org/benchmarks/15135

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|18.11

Plugin: Windows

Control ID: 26643c554470f140581b05046d7b9162f156fad5f135f02bf13a264efeb60df9