[SERVER-35418] Allow specifying CAs for incoming and outgoing connections separately - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.4.18, 3.6.9, 4.0.3, 4.1.3
Component/s: Security
Labels:
None

Backwards Compatibility:
Fully Compatible
Backport Requested:

v4.0, v3.6, v3.4
Sprint:
Security 2018-09-10
Case:
Linked BF Score:
0

Description

The current MongoDB parameter sslCAFile is used for both:
1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

Attachments

Issue Links

is documented by

DOCS-12022 Docs for SERVER-35418: Allow specifying CAs for incoming and outgoing connections separately

Closed

is related to

DOCS-14153 Consider removing the recommendation to use a single CA for X.509

Closed

related to

SERVER-57716 Partial certificate chain in PEM causes validation failure in OCSP

Closed

Activity

People

Assignee:: Sara Golemon

Reporter:: Cory Mintz

Participants:: Cory Mintz, Githook User, Matt Lord, Sara Golemon

Votes:: 1 Vote for this issue

Watchers:: 20 Start watching this issue

Dates

Created:: Jun 05 2018 08:02:47 PM UTC

Updated:: Jul 02 2021 06:27:49 PM UTC

Resolved:: Aug 29 2018 02:56:02 PM UTC