Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-35418

Allow specifying CAs for incoming and outgoing connections separately

XMLWordPrintableJSON

    • Type: Icon: Improvement Improvement
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.4.18, 3.6.9, 4.0.3, 4.1.3
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • v4.0, v3.6, v3.4
    • Security 2018-09-10
    • 0

      The current MongoDB parameter sslCAFile is used for both:
      1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
      2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

      Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

            Assignee:
            sara.golemon@mongodb.com Sara Golemon
            Reporter:
            cory.mintz@mongodb.com Cory Mintz
            Votes:
            1 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: