[SERVER-6746] Authentication should only occur over secure channels Created: 09/Aug/12 Updated: 10/Dec/14 Resolved: 30/Apr/13 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication, Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Mark porter | Assignee: | Andy Schwerin |
| Resolution: | Won't Fix | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
All platforms |
||
| Issue Links: |
|
||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Description |
|
Authentication should only occur over secure channels. Support for SSL/TLS communication should be added for authentication. This form of authentication should include client certificate authentication for the purpose of mutually authenticating replication partners. Even with anti-replay nonce values and encrypted "keys" clear text authentication will be vulnerable to man-in-the middle attacks. |
| Comments |
| Comment by Andy Schwerin [ 30/Apr/13 ] |
|
This seems like a best practices documentation issue, rather than a server improvement. Users may set up MongoDB on a secure virtual or physical network, or use SSL to secure the channel used to communicate among nodes and to clients. Is there a specific technical issue I'm missing here, mark? |