-
Type: Task
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Labels:None
Description
Description:
See PM-1188 for details.
This change adds a new (server only) configuration setting:
On CLI: --tlsClusterCAFile (aliased as --sslClusterCAFile )
In a YAML Config: net.tls.clusterCAFile (aliased as net.ssl.clusterCAFile )
When provided, the certificate pointed to by this setting will be used to validate INBOUND connections to a MongoDB instance. Remotes during outbound connections will continue to be validated using --tlsCAFile . If the setting is not present, then both inbound and outbound connections will be validated using --tlsCAfile (as they currently are).
Engineering Ticket Description:
The current MongoDB parameter sslCAFile is used for both:
1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.
Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.
Scope of changes
For 4.2 and later:
- Add --tlsClusterCAFile as a command line option and {{net.tls.clusterCAFile }} as a configuration file option
- Mark --sslClusterCAFile as a deprecated command line option and net.ssl.clusterCAFile as a deprecated configuration file option
For 4.0.3, 3.4.18, 3.6.9:
- Add --sslClusterCAFile as a command line option and net.ssl.clusterCAFile as a configuration file option
- documents
-
SERVER-35418 Allow specifying CAs for incoming and outgoing connections separately
- Closed