Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-35418

Allow specifying CAs for incoming and outgoing connections separately

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major - P3
    • Resolution: Fixed
    • None
    • 3.4.18, 3.6.9, 4.0.3, 4.1.3
    • Security
    • None
    • Fully Compatible
    • v4.0, v3.6, v3.4
    • Security 2018-09-10
    • 0

    Description

      The current MongoDB parameter sslCAFile is used for both:
      1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
      2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

      Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

      Attachments

        Issue Links

          Activity

            People

              sara.golemon@mongodb.com Sara Golemon
              cory.mintz@mongodb.com Cory Mintz
              Votes:
              1 Vote for this issue
              Watchers:
              20 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: