Backport of DOCSP-4767 (#5382)

* Update source/tutorial/configure-ssl.txt

Co-authored-by: ianf-mongodb <[email protected]>

* Merge branch 'DOCSP-4767-to_7.1' into DOCSP-4767-latest

---------

Co-authored-by: ianf-mongodb <[email protected]>

Author: MongoCaleb

source/reference/configuration-options.txt

@@ -1445,18 +1445,23 @@ Core Options
 
    .. versionadded:: 4.2
 
-   .. include:: /includes/TLS-SSL-certificates.rst
+   By default, the server bypasses client certificate validation unless 
+   the server is configured to use a CA file. If a CA file is provided, the 
+   following rules apply: 
+
+   - .. include:: /includes/TLS-SSL-certificates.rst
 
-   For clients that present a certificate, however, :binary:`~bin.mongos` or :binary:`~bin.mongod` performs
-   certificate validation using the root certificate chain specified by
-   :setting:`~net.tls.CAFile` and reject clients with invalid certificates.
+   - For clients that present a certificate, :binary:`~bin.mongos` or 
+     :binary:`~bin.mongod` performs certificate validation using the root 
+     certificate chain specified by :setting:`~net.tls.CAFile` and reject 
+     clients with invalid certificates.
 
-   Use the :setting:`net.tls.allowConnectionsWithoutCertificates` option if you have a mixed deployment that includes
-   clients that do not or cannot present certificates to the :binary:`~bin.mongos` or :binary:`~bin.mongod`.
+   Use the :setting:`net.tls.allowConnectionsWithoutCertificates` option if you 
+   have a mixed deployment that includes clients that do not or cannot present 
+   certificates to the :binary:`~bin.mongos` or :binary:`~bin.mongod`.
 
    .. include:: /includes/extracts/tls-facts-see-more.rst
 
-
 .. setting:: net.tls.allowInvalidCertificates
 
    *Type*: boolean

source/reference/program/mongod.txt

@@ -2235,18 +2235,23 @@ TLS Options
 
    .. versionadded:: 4.2
 
-   .. include:: /includes/TLS-SSL-certificates.rst
+   By default, the server bypasses client certificate validation unless 
+   the server is configured to use a CA file. If a CA file is provided, the 
+   following rules apply: 
 
-   For clients that present a certificate, however, ``mongod`` performs
-   certificate validation using the root certificate chain specified by
-   ``--tlsCAFile`` and reject clients with invalid certificates.
+   - .. include:: /includes/TLS-SSL-certificates.rst
+
+   - For clients that present a certificate, ``mongod`` performs
+     certificate validation using the root certificate chain specified by
+     :option:`--tlsCAFile <mongod --tlsCAFile>`  and reject clients with invalid 
+     certificates.
 
-   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have a mixed deployment that includes
-   clients that do not or cannot present certificates to the ``mongod``.
+   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have 
+   a mixed deployment that includes clients that do not or cannot present 
+   certificates to the ``mongod``.
 
    .. include:: /includes/extracts/tls-facts-see-more.rst
 
-
 .. option:: --tlsDisabledProtocols <protocol(s)>
 
    .. versionadded:: 4.2

source/reference/program/mongos.txt

@@ -1010,14 +1010,20 @@ TLS Options
 
    .. versionadded:: 4.2
 
-   .. include:: /includes/TLS-SSL-certificates.rst
+   By default, the server bypasses client certificate validation unless 
+   the server is configured to use a CA file. If a CA file is provided, the 
+   following rules apply: 
 
-   For clients that present a certificate, however, ``mongos`` performs
-   certificate validation using the root certificate chain specified by
-   ``--tlsCAFile`` and reject clients with invalid certificates.
+   - .. include:: /includes/TLS-SSL-certificates.rst
+
+   - For clients that present a certificate, ``mongos`` performs
+     certificate validation using the root certificate chain specified by
+     :option:`--tlsCAFile <mongod --tlsCAFile>`  and reject clients with invalid 
+     certificates.
 
-   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have a mixed deployment that includes
-   clients that do not or cannot present certificates to the ``mongos``.
+   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have 
+   a mixed deployment that includes clients that do not or cannot present 
+   certificates to the ``mongos``.
 
    .. include:: /includes/extracts/tls-facts-see-more.rst
 

source/tutorial/configure-ssl.txt

@@ -9,7 +9,7 @@ Configure ``mongod`` and ``mongos`` for TLS/SSL
 .. contents:: On this page
    :local:
    :backlinks: none
-   :depth: 1
+   :depth: 2
    :class: singlecol
 
 Overview
@@ -71,6 +71,11 @@ members, it is advisable to use different certificates on different
 servers. This minimizes exposure of the private key and allows for
 hostname validation.
 
+.. note::
+
+   If a MongoDB deployment is not configured to use a CA file, it bypasses client 
+   certificate validation.
+
 .. [#FIPS]
 
    For FIPS mode, ensure that the certificate is FIPS-compliant (i.e