Right now if you don't provide the --sslForceCertificateValidation flag the drivers can connect to the server without presenting a valid client certificate. This is a bad default as it can cause misconfiguration of the server making clients believe that they are validating certificates when in fact they are not unless they provide the --sslForceCertificateValidation flag.

I propose you get rid of the --sslForceCertificateValidation set validation as default if you provide a certificate store and add a new flag called

--sslIgnoreCertificateValidation

This makes the action of lowering the security level a user explicit decision and the default is the strongest possible validation.

----------------------------------------
The stuff under here is from when I discovered the behavior

Running the mongod instance with the following parameters

mongod --noprealloc --smallfiles --dbpath /Users/ck/coding/projects/node-mongodb-native/data/data-27017 --port 27017 --journal --sslOnNormalPorts --sslPEMKeyFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/server.pem --sslCAFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/ca.pem --sslCRLFile=/Users/ck/coding/projects/node-mongodb-native/test/certificates/crl.pem

When providing key and cert in node.js (as needed in node.js) the server responds with.

Thu Jan 17 15:48:29.545 [initandlisten] connection accepted from 127.0.0.1:59572 #2 (1 connection now open)
Thu Jan 17 15:48:29.555 [conn2] end connection 127.0.0.1:59572 (0 connections now open)

in log which is as expected but if I only provide the cert

Thu Jan 17 15:49:23.039 [initandlisten] connection accepted from 127.0.0.1:59573 #3 (1 connection now open)
Thu Jan 17 15:49:23.041 [conn3] no SSL certificate provided by peer
Thu Jan 17 15:49:23.048 [conn3] end connection 127.0.0.1:59573 (0 connections now open)

But socket stays open and operations are executed correctly against the db