I am new to mongodb
Recently our software developer implement tls and x509 security feature at database server.
At mongo cfg file, tls is enabled and pem file path is defined.
There are set of certs given by customer.
In order to understand and verify the authentication feature is implemented correctly, I use mongo compass to establish connection and view collection data.
At mongo compass, first i turned on x509, then at tls tab, i turn on TLS, added the CA cert, added the pem cert, suppy a password, click connect , connection established successfully. I assumed that both x509,tls and certs between client and server works well.
However, i try to do another way round to see if anyone can exploit and access db without certs.
I turn on x509, turn on tls still, delete both ca and client cert. Enabled the option “allow invalid cert”.
Clock connect, i am able to access db still, anyone can explain to me why?
Hey
Can you show net.tls.mode section from your mongod.conf file ?
you can have the mode set to preferTLS - connections between servers use TLS, for incoming connections, the server accepts both TLS and non-TLS.
1 Like
net:
tls:
mode: requiredTLS
disabledProtocols: TLS1_0,TLS1_1
certificateKeyFile: C:/Certs/cert.pem