[SERVER-35418] Allow specifying CAs for incoming and outgoing connections separately Created: 05/Jun/18  Updated: 29/Oct/23  Resolved: 29/Aug/18

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: None
Fix Version/s: 3.4.18, 3.6.9, 4.0.3, 4.1.3

Type: Improvement Priority: Major - P3
Reporter: Cory Mintz Assignee: Sara Golemon
Resolution: Fixed Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-12022 Docs for SERVER-35418: Allow specifyi... Closed
Problem/Incident
Related
related to SERVER-57716 Partial certificate chain in PEM caus... Closed
is related to DOCS-14153 Consider removing the recommendation ... Closed
Backwards Compatibility: Fully Compatible
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Security 2018-09-10
Participants:
Case:
Linked BF Score: 0

 Description   

The current MongoDB parameter sslCAFile is used for both:
1) Incoming connections to MongoDB to verify a client certificate for both regular mutual auth and the x509 auth mechanism.
2) Outgoing connections to other members of the same cluster, when they are running SSL, to verify the server certificate of the other member.

Overloading both of these uses into the same parameter prevents safely running MongoDB with a sslPEMKeyFile signed by a public CA and also allowing the use of X509 authentication.



 Comments   
Comment by Githook User [ 20/Sep/18 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-35418 Allow specifying CAs for incoming and outgoing connections separately

(cherry picked from commit 17ccef2b9f0c71b60d31b84b8824215ff87f03aa)

Option names mapped from tls* to ssl*
Branch: v3.4
https://github.com/mongodb/mongo/commit/707c7c5d592fe6c32bbf3fc7a05142f80b7a25c6

Comment by Githook User [ 20/Sep/18 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-35418 Allow specifying CAs for incoming and outgoing connections separately

(cherry picked from commit 17ccef2b9f0c71b60d31b84b8824215ff87f03aa)

Option names mapped from tls* to ssl*
Branch: v3.6
https://github.com/mongodb/mongo/commit/13904dfc1f231b05ff3991cdefad0cea63b62d46

Comment by Githook User [ 20/Sep/18 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-35418 Allow specifying CAs for incoming and outgoing connections separately

(cherry picked from commit 17ccef2b9f0c71b60d31b84b8824215ff87f03aa)

Option names mapped from tls* to ssl*
Branch: v4.0
https://github.com/mongodb/mongo/commit/85dbde9e17ec526911aba820564a6f299133263b

Comment by Matt Lord (Inactive) [ 29/Aug/18 ]

The Atlas team has requested that we backport this work to all of their supported versions (3.2 is EOL in Sept 2018) if possible. 

Comment by Githook User [ 29/Aug/18 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-35418 Allow specifying CAs for incoming and outgoing connections separately
Branch: master
https://github.com/mongodb/mongo/commit/17ccef2b9f0c71b60d31b84b8824215ff87f03aa

Generated at Thu Feb 08 04:39:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.