diff --git a/source/includes/options-mongo.yaml b/source/includes/options-mongo.yaml index 002660554e5..b3c3651e04d 100644 --- a/source/includes/options-mongo.yaml +++ b/source/includes/options-mongo.yaml @@ -266,7 +266,7 @@ description: | The default distribution of MongoDB does not contain support for SSL. For more information on MongoDB and SSL, see :doc:`/tutorial/configure-ssl`. - .. include:: /includes/warning-x509-requires-sslCAfile.rst + .. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst optional: true --- program: mongo diff --git a/source/includes/options-shared.yaml b/source/includes/options-shared.yaml index c27fa930fe7..c81394f4038 100644 --- a/source/includes/options-shared.yaml +++ b/source/includes/options-shared.yaml @@ -122,7 +122,7 @@ description: | The default distribution of MongoDB does not contain support for SSL. For more information on MongoDB and SSL, see :doc:`/tutorial/configure-ssl`. - .. include:: /includes/warning-x509-requires-sslCAfile.rst + .. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst optional: true --- program: _shared diff --git a/source/includes/warning-always-use-sslCAFile-for-mongo.rst b/source/includes/warning-always-use-sslCAFile-for-mongo.rst new file mode 100644 index 00000000000..a214bcc0fbd --- /dev/null +++ b/source/includes/warning-always-use-sslCAFile-for-mongo.rst @@ -0,0 +1,11 @@ +.. warning:: + + If the :program:`mongo` shell or any other tool that connects to + :program:`mongos` or :program:`mongod` is run without + :option:`--sslCAFile `, it will not attempt to validate + server certificates. This results in vulnerability to expired + :program:`mongod` and :program:`mongos` certificates as well as to foreign + processes posing as valid :program:`mongod` or :program:`mongos` + instances. Ensure that you *always* specify the CA file against which + server certificates should be validated in cases where intrusion is a + possibility. diff --git a/source/tutorial/configure-ssl-clients.txt b/source/tutorial/configure-ssl-clients.txt index d2c0cb98609..04d865a31c8 100644 --- a/source/tutorial/configure-ssl-clients.txt +++ b/source/tutorial/configure-ssl-clients.txt @@ -29,7 +29,9 @@ SSL support or distributed with MongoDB Enterprise. To support SSL, :file:`.pem` file that contains the SSL certificate and key. - :option:`--sslCAFile` with the name of the :file:`.pem` - file that contains the certificate from the Certificate Authority. + file that contains the certificate from the Certificate Authority (CA). + + .. include:: /includes/warning-always-use-sslCAFile-for-mongo.rst - :option:`--sslPEMKeyPassword` option if the client certificate-key file is encrypted. @@ -52,8 +54,8 @@ Connect to MongoDB Instance that Requires Client Certificates To connect to a :program:`mongod` or :program:`mongos` that requires :ref:`CA-signed client certificates `, start the :program:`mongo` shell with -:option:`--ssl ` and the :setting:`--sslPEMKeyFile -` option to specify the signed certificate-key file, as +:option:`--ssl ` and the :option:`--sslPEMKeyFile +` option to specify the signed certificate-key file, as in the following: .. code-block:: sh