Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-35418

Allow specifying CAs for incoming and outgoing connections separately

    XMLWordPrintableJSON

Details

    • Icon: Improvement Improvement
    • Resolution: Fixed
    • Icon: Major - P3 Major - P3
    • 3.4.18, 3.6.9, 4.0.3, 4.1.3
    • None
    • Security
    • None
    • Fully Compatible
    • v4.0, v3.6, v3.4
    • Security 2018-09-10
    • 0

    Description

      The current MongoDB parameter sslCAFile is used for both:
      1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
      2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

      Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

      Attachments

        Activity

          People

            sara.golemon@mongodb.com Sara Golemon
            cory.mintz@mongodb.com Cory Mintz
            Votes:
            1 Vote for this issue
            Watchers:
            20 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: