[DOCS-16619] [Server] Clarify scope of parameters allowInvalidCertificates and allowInvalidHostnames Created: 31/Jan/24  Updated: 05/Feb/24  Resolved: 05/Feb/24

Status: Closed
Project: Documentation
Component/s: manual
Affects Version/s: None
Fix Version/s: Server_Docs_[20240205]

Type: Task Priority: Critical - P2
Reporter: Wernfried Domscheit Assignee: Alison Huh
Resolution: Fixed Votes: 0
Labels: request, top250
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
is related to SERVER-85910 Setting allowConnectionsWithoutCertif... Investigating
URL(s): https://www.mongodb.com/docs/manual/reference/configuration-options/
Participants:
Days since reply: 1 week, 1 day ago
Story Points: 1

 Description   

According to my understanding parameters net.tls.allowInvalidCertificates  and net.tls.allowInvalidHostnames are used for replicat set / sharded cluster internal connections. This is not fully clear in the documentation.

 

For net.tls.allowInvalidHostnames I suggest following:

When net.tls.allowInvalidHostnames is true, MongoDB disables the validation of the hostnames in TLS certificates, allowing mongod or mongos to connect to other servers in the cluster if the hostname of their certificates do not match the specified hostname.

For more information about TLS and MongoDB, see Configure mongod and mongos for TLS/SSL

A link to TLS/SSL Configuration for Clients is confusing because this parameter has no effect on client connections.

 

For net.tls.allowInvalidCertificates I suggest following:

[...]
Note:
If you specify --tlsAllowInvalidCertificates or tls.allowInvalidCertificates: true when using x.509 certificates for internal authentication an invalid certificate is only sufficient to establish a TLS connection but is insufficient for authentication.

When using the net.tls.allowInvalidCertificates setting, MongoDB logs a warning regarding the use of the invalid certificate.

For more information about TLS and MongoDB, see Configure mongod and mongos and Internal/Membership Authentication with x.509

Again, a link to TLS/SSL Configuration for Clients is confusing because this parameter has no effect on client connections. And the existing documentation miss a clear indication that it is relevant in a replicat set / sharded cluster environment.


Generated at Thu Feb 08 08:15:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.