Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-12022

Docs for SERVER-35418: Allow specifying CAs for incoming and outgoing connections separately

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.0.3, 4.1.3, 3.6.9, 3.4.18
    • Component/s: manual, Server
    • Labels:
      None

      Description

      Description

      Description:

      See PM-1188 for details.

      This change adds a new (server only) configuration setting:
      On CLI: --tlsClusterCAFile (aliased as --sslClusterCAFile )
      In a YAML Config: net.tls.clusterCAFile (aliased as net.ssl.clusterCAFile )

      When provided, the certificate pointed to by this setting will be used to validate INBOUND connections to a MongoDB instance. Remotes during outbound connections will continue to be validated using --tlsCAFile . If the setting is not present, then both inbound and outbound connections will be validated using --tlsCAfile (as they currently are).

      Engineering Ticket Description:

      The current MongoDB parameter sslCAFile is used for both:
      1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
      2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

      Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

      Scope of changes

      For 4.2 and later:

      • Add --tlsClusterCAFile as a command line option and {{net.tls.clusterCAFile }} as a configuration file option
      • Mark --sslClusterCAFile as a deprecated command line option and net.ssl.clusterCAFile as a deprecated configuration file option

      For 4.0.3, 3.4.18, 3.6.9:

      • Add --sslClusterCAFile as a command line option and net.ssl.clusterCAFile as a configuration file option

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              isabella.siu Isabella Siu
              Reporter:
              kay.kim Kay Kim (Inactive)
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since reply:
                2 years, 25 weeks, 2 days ago
                Date of 1st Reply: