Loading...

XML

Word

Printable

JSON

Type: Improvement
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 3.4.18, 3.6.9, 4.0.3, 4.1.3
Affects Version/s: None
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.0, v3.6, v3.4
Sprint:
Security 2018-09-10
Case:
Linked BF Score:
0
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

The current MongoDB parameter sslCAFile is used for both:
1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

related to

SERVER-57716 Partial certificate chain in PEM causes validation failure in OCSP

Closed

Assignee:: Sara Golemon (Inactive)
Reporter:: Cory Mintz
Participants:: Cory Mintz, Githook User, Matt Lord, Sara Golemon
Votes:: 1 Vote for this issue
Watchers:: 20 Start watching this issue

Created:: Jun 05 2018 08:02:47 PM UTC
Updated:: Oct 29 2023 10:31:03 PM UTC
Resolved:: Aug 29 2018 02:56:02 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates