[DOCS-16369] [SERVER] Investigate changes in SERVER-72839: Server skips peer certificate validation if neither CAFile nor clusterCAFile is provided Created: 07/Sep/23  Updated: 28/Jan/24  Resolved: 27/Nov/23

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.4.29, 5.0.25, 7.0.6, 6.0.14, 7.1.0-rc4

Type: Task Priority: Minor - P4
Reporter: Backlog - Core Eng Program Management Team Assignee: Brad Moore
Resolution: Gone away Votes: 0
Labels: feature, security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Documented
documents SERVER-72839 Server skips peer certificate validat... Closed
Participants:
Days since reply: 10 weeks, 2 days ago
Story Points: 2

 Description   
Original Downstream Change Summary

Connections that previously worked due to Cert checking failing to occur (where the check should have failed but didn't) may no longer work.

Description of Linked Ticket

The documentation says that:

If --tlsCAFile or tls.CAFile is not specified and you are not using x.509 authentication, the system-wide CA certificate store will be used when connecting to an TLS-enabled server.

However, when a server is configured with neither CAFile nor clusterCAFile, it will skip peer certificate validation on both ingress and egress TLS connections. The expectation is that on egress connection, the node (client) should at least verify the peer (server's) certificate using the system CA cert store.

Note, this only applies to server processes (mongod and mongos), the shell is not affected.



 Comments   
Comment by Sarah Simpers [ 27/Nov/23 ]

After discussing with brad.moore@mongodb.com, we decided to close this docs ticket. Work on the flag continues in this server engineering ticket; if the server work ends up requiring docs, Docs Needed will be marked on that ticket and a new docs ticket will result. 

Generated at Thu Feb 08 08:15:14 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.