Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
7.0.5, 6.0.13, 5.0.24, 4.4.28
-
None
-
None
-
Server Security
-
Fully Compatible
-
ALL
-
v7.0, v6.0, v5.0, v4.4, v4.2
-
Security 2023-01-23, Security 2023-02-06, Security 2023-02-20, Security 2023-03-06, Security 2023-03-20, Security 2023-04-03, Security 2023-04-17, Security 2023-05-01, Security 2023-05-15, Security 2023-05-29, Security 2023-06-12, Security 2023-06-26, Security 2023-07-10, Security 2023-07-24, Security 2023-08-07, Security 2023-08-21, Security 2023-09-04, Security 2023-09-18
Description
The documentation says that:
If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.
However, when a server is configured with neither CAFile nor clusterCAFile, it will skip peer certificate validation on both ingress and egress TLS connections. The expectation is that on egress connection, the node (client) should at least verify the peer (server's) certificate using the system CA cert store.
Note, this only applies to server processes (mongod and mongos), the shell is not affected.
Attachments
Issue Links
- causes
-
MONGOSH-1592 Account for server TLS option changes
-
- Closed
-
- is caused by
-
SERVER-23044 Fall back to system CA certs in the shell if CA file isn't provided
-
- Closed
-
- is depended on by
-
TOOLS-3463 Investigate changes in SERVER-72839: Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided
-
- Needs Triage
-
-
COMPASS-7197 Investigate changes in SERVER-72839: Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided
-
- Closed
-
- is documented by
-
DOCS-16369 [SERVER] Investigate changes in SERVER-72839: Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided
-
- Closed
-
- is related to
-
SERVER-80677 Cert failures due to parallel tests
-
- Closed
-
- related to
-
SERVER-72234 System-wide CA certificate store not used
-
- Closed
-
-
SERVER-82257 Add explicit --tlsUseSystemCA flag
-
- Closed
-