I have setup a stand-alone mongod like this:
net: port: 27017 bindIpAll: true tls: mode: requireTLS certificateKeyFile: mongo.server.pem CAFile: mongo-ca.cer allowConnectionsWithoutCertificates: false allowInvalidCertificates: false security: authorization: enabled
Documentation says:
- For clients that don't provide certificates, mongod or mongos encrypts the TLS/SSL connection, assuming the connection is successfully made.
- For clients that present a certificate, mongos or mongod performs certificate validation using the root certificate chain specified by CAFile and reject clients with invalid certificates.
However, the behavior is different.
If I don't provide a client certificate, then the connection is rejected (instead of encrypts the TLS/SSL connection, assuming the connection is successfully made):
mongosh "mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer" Current Mongosh Log ID: 65b8afb4924b39f4ec3b77f5 Connecting to: mongodb://localhost:27017/?tls=true&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 MongoServerSelectionError: connection <monitor> to 127.0.0.1:27017 closed
If I provide an invalid client certificate, then the connection is successful (instead of reject clients):
openssl verify -CAfile mongo-ca.cer mongo.client-bad.pem CN = admin error 20 at 0 depth lookup: unable to get local issuer certificate error mongo.client-bad.pem: verification failed mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer" Current Mongosh Log ID: 65b8b0987645903dc9cc5ecd Connecting to: mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 Using MongoDB: 7.0.5 Using Mongosh: 2.1.1 test> db.getMongo() mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client-bad.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
If the client provides a valid certificate, then of course everything is working fine and as expected:
openssl verify -CAfile mongo-ca.cer mongo.client.pem mongo.client.pem: OK openssl verify -CAfile mongo-ca.cer mongo.server.pem mongo.server.pem: OK mongosh "mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer" Current Mongosh Log ID: 65b8b213027a4c163908974c Connecting to: mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1 Using MongoDB: 7.0.5 Using Mongosh: 2.1.1 test> db.getMongo() mongodb://localhost:27017/?tls=true&tlsCertificateKeyFile=mongo.client.pem&tlsCAFile=mongo-ca.cer&directConnection=true&serverSelectionTimeoutMS=2000&appName=mongosh+2.1.1
Tested in Windows 10 environment.