Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-12022

Docs for SERVER-35418: Allow specifying CAs for incoming and outgoing connections separately



    • Task
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 4.0.3, 4.1.3, 3.6.9, 3.4.18
    • manual, Server
    • None




      See PM-1188 for details.

      This change adds a new (server only) configuration setting:
      On CLI: --tlsClusterCAFile (aliased as --sslClusterCAFile )
      In a YAML Config: net.tls.clusterCAFile (aliased as net.ssl.clusterCAFile )

      When provided, the certificate pointed to by this setting will be used to validate INBOUND connections to a MongoDB instance. Remotes during outbound connections will continue to be validated using --tlsCAFile . If the setting is not present, then both inbound and outbound connections will be validated using --tlsCAfile (as they currently are).

      Engineering Ticket Description:

      The current MongoDB parameter sslCAFile is used for both:
      1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
      2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

      Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

      Scope of changes

      For 4.2 and later:

      • Add --tlsClusterCAFile as a command line option and {{net.tls.clusterCAFile }} as a configuration file option
      • Mark --sslClusterCAFile as a deprecated command line option and net.ssl.clusterCAFile as a deprecated configuration file option

      For 4.0.3, 3.4.18, 3.6.9:

      • Add --sslClusterCAFile as a command line option and net.ssl.clusterCAFile as a configuration file option


        Issue Links



              isabella.siu@mongodb.com Isabella Siu (Inactive)
              kay.kim@mongodb.com Kay Kim (Inactive)
              0 Vote for this issue
              2 Start watching this issue


                4 years, 3 weeks, 4 days ago