See PM-1188 for details.
This change adds a new (server only) configuration setting:
On CLI: --tlsClusterCAFile (aliased as --sslClusterCAFile )
In a YAML Config: net.tls.clusterCAFile (aliased as net.ssl.clusterCAFile )
When provided, the certificate pointed to by this setting will be used to validate INBOUND connections to a MongoDB instance. Remotes during outbound connections will continue to be validated using --tlsCAFile . If the setting is not present, then both inbound and outbound connections will be validated using --tlsCAfile (as they currently are).
Engineering Ticket Description:
The current MongoDB parameter sslCAFile is used for both:
1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.
Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.