Details
-
Improvement
-
Resolution: Done
-
Major - P3
-
None
-
None
-
None
-
Fully Compatible
-
Security 6 07/17/15
Description
In cloud based environments with an internal CA a situation arises whereby a mongo cluster at release A is already enrolled with a CA also from release A but during release B the CA might have been rebuilt and thus the cluster can't be formed with strict net.ssl.mode settings. It depends how the clustering is implemented and the timing of each mongo node deployments but such a situation has arisen.
Rather than lower the SSL authentication could we propose an additional net.ssl.mode for matching issuer DN values rather than failing due to changes in issuer certificate version numbers ?
net.ssl.mode=allowSSLIssuerDN
net.ssl.issuerDN='CN=issuer.internal'