Uploaded image for project: 'Documentation'
  1. Documentation
  2. DOCS-16619

[Server] Clarify scope of parameters allowInvalidCertificates and allowInvalidHostnames

      According to my understanding parameters net.tls.allowInvalidCertificates  and net.tls.allowInvalidHostnames are used for replicat set / sharded cluster internal connections. This is not fully clear in the documentation.

       

      For net.tls.allowInvalidHostnames I suggest following:

      When net.tls.allowInvalidHostnames is true, MongoDB disables the validation of the hostnames in TLS certificates, allowing mongod or mongos to connect to other servers in the cluster if the hostname of their certificates do not match the specified hostname.

      For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL

      A link to TLS/SSL Configuration for Clients is confusing because this parameter has no effect on client connections.

       

      For net.tls.allowInvalidCertificates I suggest following:

      [...]
      Note:
      If you specify --tlsAllowInvalidCertificates or tls.allowInvalidCertificates: true when using x.509 certificates for internal authentication an invalid certificate is only sufficient to establish a TLS connection but is insufficient for authentication.

      When using the net.tls.allowInvalidCertificates setting, MongoDB logs a warning regarding the use of the invalid certificate.

      For more information about TLS and MongoDB, see Configure mongod and mongos and Internal/Membership Authentication with x.509

      Again, a link to TLS/SSL Configuration for Clients is confusing because this parameter has no effect on client connections. And the existing documentation miss a clear indication that it is relevant in a replicat set / sharded cluster environment.

            Assignee:
            alison.huh@mongodb.com Alison Huh
            Reporter:
            wernfried.domscheit@sunrise.net Wernfried Domscheit
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:
              25 weeks, 1 day ago