# Copyright (C) 2018-present MongoDB, Inc. # # This program is free software: you can redistribute it and/or modify # it under the terms of the Server Side Public License, version 1, # as published by MongoDB, Inc. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # Server Side Public License for more details. # # You should have received a copy of the Server Side Public License # along with this program. If not, see # . # # As a special exception, the copyright holders give permission to link the # code of portions of this program with the OpenSSL library under certain # conditions as described in each individual source file and distribute # linked combinations including the program with the OpenSSL library. You # must comply with the Server Side Public License in all respects for # all of the code used other than as permitted herein. If you modify file(s) # with this exception, you may extend this exception to your version of the # file(s), but you are not obligated to do so. If you do not wish to do so, # delete this exception statement from your version. If you delete this # exception statement from all source files in the program, then also delete # it in the license file. # global: cpp_namespace: "mongo" cpp_includes: - "mongo/util/net/ssl_options.h" - "mongo/util/net/ssl_parameters.h" imports: - "mongo/crypto/sha256_block.idl" - "mongo/db/auth/auth_types.idl" structs: TLSCATrust: description: strict: true fields: sha256: sha256BlockHex roles: array server_parameters: opensslDiffieHellmanParameters: description: "OpenSSL Diffie-Hellman parameters" set_at: startup cpp_varname: "sslGlobalParams.sslPEMTempDHParam" suppressNoTLSPeerCertificateWarning: description: "Do not display a warning when client fails to send a TLS certificate" set_at: startup cpp_varname: "sslGlobalParams.suppressNoTLSPeerCertificateWarning" tlsWithholdClientCertificate: deprecated_name: "sslWithholdClientCertificate" description: "Do not send a client certificate when establishing intra-cluster connections" set_at: startup cpp_varname: "sslGlobalParams.tlsWithholdClientCertificate" ocspEnabled: description: "Enable OCSP" set_at: startup default: true cpp_vartype: bool cpp_varname: "tlsOCSPEnabled" ocspCacheSize: description: "Maximum number of entries in the OCSP Cache" set_at: startup default: 300 cpp_vartype: std::int32_t cpp_varname: "tlsOCSPCacheSize" validator: gt: 0 ocspStaplingRefreshPeriodSecs: description: "Interval at which the OCSP response will be refreshed" set_at: startup cpp_vartype: long long deprecated_name: ocspValidationRefreshPeriodSecs default: -1 cpp_varname: "kOCSPStaplingRefreshPeriodSecs" validator: gte: 1 tlsOCSPVerifyTimeoutSecs: description: >- How long the http client should wait before timing out when fetching OCSP Responses for peer certificate set_at: startup cpp_vartype: int default: 5 cpp_varname: "gTLSOCSPVerifyTimeoutSecs" validator: gte: 1 tlsOCSPStaplingTimeoutSecs: description: >- How long the http client should wait before timing out when fetching OCSP Responses for stapling. If not set, value is taken from tlsClientOCSPTimeoutSecs set_at: startup cpp_vartype: int default: -1 cpp_varname: "gTLSOCSPStaplingTimeoutSecs" validator: gte: 1 tlsOCSPSlowResponderWarningSecs: description: >- How long to wait for an OCSP response before logging a warning message indicating that the responder is slow. set_at: startup cpp_vartype: int default: 5 cpp_varname: "gTLSOCSPSlowResponderWarningSecs" validator: gte: 1 opensslCipherConfig: description: "Cipher configuration string for OpenSSL based TLS connections" set_at: startup cpp_varname: "sslGlobalParams.sslCipherConfig" validator: callback: "validateOpensslCipherConfig" opensslCipherSuiteConfig: description: "Cipher configuration string for OpenSSL based connections that use TLS 1.3 or newer ONLY" set_at: startup cpp_varname: "sslGlobalParams.sslCipherSuiteConfig" disableNonTLSConnectionLogging: deprecated_name: "disableNonSSLConnectionLogging" description: "Suppress logging of warnings when non-SSL connections are accepted in preferSSL mode" set_at: startup cpp_varname: "sslGlobalParams.disableNonSSLConnectionLogging" validator: callback: "validateDisableNonTLSConnectionLogging" on_update: "onUpdateDisableNonTLSConnectionLogging" sslMode: description: "Transition from allowSSL to preferSSL, or from preferSSL to requireSSL" set_at: runtime cpp_class: SSLModeServerParameter tlsMode: description: "Transition from allowTLS to preferTLS, or from preferTLS to requireTLS" set_at: runtime cpp_class: TLSModeServerParameter tlsX509ClusterAuthDNOverride: description: "Distinguished name to use for cluster membership" set_at: [startup, runtime] cpp_class: ClusterMemberDNOverride tlsX509ExpirationWarningThresholdDays: description: >- If a client connects to the server using an X509 certificate expiring in less than the configured number of days, a warning will be emitted to the server logs. Set this value to 0 to disable the warning. set_at: startup cpp_vartype: std::int32_t cpp_varname: "tlsX509ExpirationWarningThresholdDays" default: 30 validator: gte: 0 tlsCATrusts: description: >- Specify by fingerprint the certificate authorities which are allowed to accept role authorizations from an X509 certificate and the specific roles they are allowed to impart. set_at: startup cpp_class: name: TLSCATrustsSetParameter override_set: true condition: preprocessor: 'defined(__linux__)'