I have cluster of 3 shards servers, 3 Config servers and 1 mongos server in dev environment. I would like to make communication between Mongo components TLS compulsory and communication between application and mongos as non-TLS. So, I am enabling requireTLS mode in shards and config only. And I am enabling preferTLS mode in mongos server, so applications communication to mongos will not required TLS certs. I have enabled the settings and cluster is running fine currently in dev. But I am getting one log message in mongos log, what does this mean? Is this technically right , requireTLS(mongod) + preferTLS(mongos)?
Log SSL mode is set to ‘preferred’ and connection to remote is not using SSL
Is this because of not wanting to use client certificates? In this case the server can be configured to not require them, this does not greatly reduce the security of TLS, indeed it is very common. net.tls.allowConnectionsWithoutCertificates permits clients to connect without using a certificate.
Or is this because of not wanting to distribute CA certificates to the clients? This can also be worked around but implicitly trusts server certificates which opens up to Man-in-the-middle attacks, but is arguably more secure then using “in-the-clear” connections as allowed by preferTLS
This can be controlled by the client connection options, often this option is tlsAllowInvalidCertificates