Allow specifying CAs for incoming and outgoing connections separately

XMLWordPrintableJSON

    • Type: Improvement
    • Resolution: Fixed
    • Priority: Major - P3
    • 3.4.18, 3.6.9, 4.0.3, 4.1.3
    • Affects Version/s: None
    • Component/s: Security
    • None
    • Fully Compatible
    • v4.0, v3.6, v3.4
    • Security 2018-09-10
    • 0
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      The current MongoDB parameter sslCAFile is used for both:
      1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
      2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

      Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.

            Assignee:
            Sara Golemon (Inactive)
            Reporter:
            Cory Mintz
            Votes:
            1 Vote for this issue
            Watchers:
            20 Start watching this issue

              Created:
              Updated:
              Resolved: