Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-35418

Allow specifying CAs for incoming and outgoing connections separately

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.4.18, 3.6.9, 4.0.3, 4.1.3
    • Component/s: Security
    • Labels:
      None

      Description

      The current MongoDB parameter sslCAFile is used for both:
      1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
      2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

      Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sara.golemon Sara Golemon
              Reporter:
              cory.mintz Cory Mintz
              Participants:
              Votes:
              1 Vote for this issue
              Watchers:
              19 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: