Implement a hostname check of the server on the client side. Check SAN match first and then CN.
Also, check that the server certificate is currently valid (not expired, and not 'not-yet-valid').
These behaviors should be configurable before first-use of the driver, by manipulating the process-global connection ssl configuration state (formerly cmdLine.sslOnNormalPorts).
- is related to
-
SERVER-11107 By default, mongod should not start with an expired or invalid server certificate
- Closed