[DOCS-4584] server option net.ssl.allowInvalidHostnames is not documented Created: 28/Dec/14 Updated: 16/Mar/15 Resolved: 02/Jan/15 |
|
| Status: | Closed |
| Project: | Documentation |
| Component/s: | manual |
| Affects Version/s: | None |
| Fix Version/s: | v1.3.16 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Carl D'Halluin | Assignee: | Sam Kleinman (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Participants: | |
| Days since reply: | 9 years, 6 weeks, 5 days ago |
| Description |
|
When setting up a replicaset using SSL, people might rely on certificates signed by a trusted parent certificate. In this case they might not use hostnames at all. A Mongo server does not want to connect to another Mongo server if the SSL hostname doesnt match. Setting net.ssl.allowInvalidCertificates to true solves this, but also makes the whole setup completely insecure. The option net.ssl.allowInvalidHostnames works and is very useful and secure for such setups. I found it in the code (also as an option to the mongo shell), but not in the documentation: http://docs.mongodb.org/manual/reference/configuration-options/#net.ssl.allowInvalidCertificates |
| Comments |
| Comment by Githook User [ 02/Jan/15 ] |
|
Author: {u'username': u'tychoish', u'name': u'Sam Kleinman', u'email': u'samk@10gen.com'}Message: |
| Comment by Carl D'Halluin [ 28/Dec/14 ] |
|
I saw this in the 2.6.4 src code and higher. It is not present in 2.6.3 or before. |