This change tightens the enforcement of MONGODB-X509 authentication by requiring the SSL certificate be verifiable regardless of the state of the --sslAllowInvalidCertificates setting. This has a not-insignificant chance of breaking existing users who are "doing X509 wrong".
Please consult the linked SECURITY ticket and parties involved when writing any documentation related to this change.
Scope of changes:
- Settings/options (for all the binaries)
- sslAllowInvalidCertificates (reference/configuration-options)
- Parameters page has authenticationMechanisms and clusterAuthMode params – but for now, I think the blurb should be associated with the allow invalid certificates rather than stating in these params because that would be more or less stating that people should use valid certificates
- x509 tutorials. For now, will only update x509 specific tutorials and skip the general ssl tutorials.
Impact to other docs outside of this product:
BI Connector: https://docs.mongodb.com/bi-connector/current/reference/mongodrdl/index.html
SERVER-34888 Track status of SSLPeerInfo