|
According to my understanding parameters net.tls.allowInvalidCertificates and net.tls.allowInvalidHostnames are used for replicat set / sharded cluster internal connections. This is not fully clear in the documentation.
When net.tls.allowInvalidHostnames is true, MongoDB disables the validation of the hostnames in TLS certificates, allowing mongod or mongos to connect to other servers in the cluster if the hostname of their certificates do not match the specified hostname.
For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL
A link to TLS/SSL Configuration for Clients is confusing because this parameter has no effect on client connections.
[...]
Note:
If you specify --tlsAllowInvalidCertificates or tls.allowInvalidCertificates: true when using x.509 certificates for internal authentication an invalid certificate is only sufficient to establish a TLS connection but is insufficient for authentication.
When using the net.tls.allowInvalidCertificates setting, MongoDB logs a warning regarding the use of the invalid certificate.
For more information about TLS and MongoDB, see Configure mongod and mongos and Internal/Membership Authentication with x.509
Again, a link to TLS/SSL Configuration for Clients is confusing because this parameter has no effect on client connections. And the existing documentation miss a clear indication that it is relevant in a replicat set / sharded cluster environment.
|