Uploaded image for project: 'Compass '
  1. Compass
  2. COMPASS-7197

Investigate changes in SERVER-72839: Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided

    • Type: Icon: Investigation Investigation
    • Resolution: Done
    • Priority: Icon: Minor - P4 Minor - P4
    • No version
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Not Needed

      Original Downstream Change Summary

      Connections that previously worked due to Cert checking failing to occur (where the check should have failed but didn't) may no longer work.

      Description of Linked Ticket

      The documentation says that:

      If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.

      However, when a server is configured with neither CAFile nor clusterCAFile, it will skip peer certificate validation on both ingress and egress TLS connections. The expectation is that on egress connection, the node (client) should at least verify the peer (server's) certificate using the system CA cert store.

      Note, this only applies to server processes (mongod and mongos), the shell is not affected.

            Unassigned Unassigned
            backlog-server-pm Backlog - Core Eng Program Management Team
            0 Vote for this issue
            2 Start watching this issue