Skip to content

DOCS-3701-re-redux #1944

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from
Closed

DOCS-3701-re-redux #1944

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c4850c1
DOCS-3701-re-redux
Aug 22, 2014
e5ccc48
DOCS-3701-re-redux, revert bad edit
Aug 22, 2014
088be4a
DOCS-3701-re-redux: fixyfixy
Aug 22, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion source/includes/options-mongo.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ description: |
The default distribution of MongoDB does not contain support for SSL.
For more information on MongoDB and SSL, see :doc:`/tutorial/configure-ssl`.

.. include:: /includes/warning-x509-requires-sslCAfile.rst
.. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst
optional: true
---
program: mongo
Expand Down
2 changes: 1 addition & 1 deletion source/includes/options-shared.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ description: |
The default distribution of MongoDB does not contain support for SSL.
For more information on MongoDB and SSL, see :doc:`/tutorial/configure-ssl`.

.. include:: /includes/warning-x509-requires-sslCAfile.rst
.. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst
optional: true
---
program: _shared
Expand Down
11 changes: 11 additions & 0 deletions source/includes/warning-always-use-sslCAFile-for-mongo.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
.. warning::

If the :program:`mongo` shell or any other tool that connects to
:program:`mongos` or :program:`mongod` is run without
:option:`--sslCAFile <mongod --sslCAFile>`, it will not attempt to validate
server certificates. This results in vulnerability to expired
:program:`mongod` and :program:`mongos` certificates as well as to foreign
processes posing as valid :program:`mongod` or :program:`mongos`
instances. Ensure that you *always* specify the CA file against which
server certificates should be validated in cases where intrusion is a
possibility.
8 changes: 5 additions & 3 deletions source/tutorial/configure-ssl-clients.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,9 @@ SSL support or distributed with MongoDB Enterprise. To support SSL,
:file:`.pem` file that contains the SSL certificate and key.

- :option:`--sslCAFile` with the name of the :file:`.pem`
file that contains the certificate from the Certificate Authority.
file that contains the certificate from the Certificate Authority (CA).

.. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst

- :option:`--sslPEMKeyPassword` option if the
client certificate-key file is encrypted.
Expand All @@ -52,8 +54,8 @@ Connect to MongoDB Instance that Requires Client Certificates
To connect to a :program:`mongod` or :program:`mongos` that requires
:ref:`CA-signed client certificates
<ssl-mongod-ca-signed-ssl-cert-key>`, start the :program:`mongo` shell with
:option:`--ssl <mongo --ssl>` and the :setting:`--sslPEMKeyFile
<sslPEMKeyFile>` option to specify the signed certificate-key file, as
:option:`--ssl <mongo --ssl>` and the :option:`--sslPEMKeyFile
<mongo --sslPEMKeyFile>` option to specify the signed certificate-key file, as
in the following:

.. code-block:: sh
Expand Down