Docsp 4767 backport to 7.2 (#5384)

MongoCaleb · ianf-mongodb · web-flow · commit ebeb1f61a74d · 2023-11-22T13:47:03.000-05:00
* Update source/tutorial/configure-ssl.txt Co-authored-by: ianf-mongodb <85948430+ianf-mongodb@users.noreply.github.com> * Merge branch 'DOCSP-4767-to_7.1' into DOCSP-4767-latest --------- Co-authored-by: ianf-mongodb <85948430+ianf-mongodb@users.noreply.github.com>
diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt
@@ -1690,18 +1690,23 @@ Core Options
 
    .. versionadded:: 4.2
    
-   .. include:: /includes/TLS-SSL-certificates.rst
+   By default, the server bypasses client certificate validation unless 
+   the server is configured to use a CA file. If a CA file is provided, the 
+   following rules apply: 
+
+   - .. include:: /includes/TLS-SSL-certificates.rst
    
-   For clients that present a certificate, however, :binary:`~bin.mongos` or :binary:`~bin.mongod` performs
-   certificate validation using the root certificate chain specified by
-   :setting:`~net.tls.CAFile` and reject clients with invalid certificates.
+   - For clients that present a certificate, :binary:`~bin.mongos` or 
+     :binary:`~bin.mongod` performs certificate validation using the root 
+     certificate chain specified by :setting:`~net.tls.CAFile` and reject 
+     clients with invalid certificates.
    
-   Use the :setting:`net.tls.allowConnectionsWithoutCertificates` option if you have a mixed deployment that includes
-   clients that do not or cannot present certificates to the :binary:`~bin.mongos` or :binary:`~bin.mongod`.
+   Use the :setting:`net.tls.allowConnectionsWithoutCertificates` option if you 
+   have a mixed deployment that includes clients that do not or cannot present 
+   certificates to the :binary:`~bin.mongos` or :binary:`~bin.mongod`.
    
    .. include:: /includes/extracts/tls-facts-see-more.rst
 
-
 .. setting:: net.tls.allowInvalidCertificates
 
    *Type*: boolean
diff --git a/source/reference/program/mongod.txt b/source/reference/program/mongod.txt
@@ -2187,18 +2187,23 @@ TLS Options
 
    .. versionadded:: 4.2
    
-   .. include:: /includes/TLS-SSL-certificates.rst
+   By default, the server bypasses client certificate validation unless 
+   the server is configured to use a CA file. If a CA file is provided, the 
+   following rules apply: 
 
-   For clients that present a certificate, however, ``mongod`` performs
-   certificate validation using the root certificate chain specified by
-   ``--tlsCAFile`` and reject clients with invalid certificates.
+   - .. include:: /includes/TLS-SSL-certificates.rst
+
+   - For clients that present a certificate, ``mongod`` performs
+     certificate validation using the root certificate chain specified by
+     :option:`--tlsCAFile <mongod --tlsCAFile>`  and reject clients with invalid 
+     certificates.
    
-   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have a mixed deployment that includes
-   clients that do not or cannot present certificates to the ``mongod``.
+   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have 
+   a mixed deployment that includes clients that do not or cannot present 
+   certificates to the ``mongod``.
    
    .. include:: /includes/extracts/tls-facts-see-more.rst
 
-
 .. option:: --tlsDisabledProtocols <protocol(s)>
 
    .. versionadded:: 4.2
diff --git a/source/reference/program/mongos.txt b/source/reference/program/mongos.txt
@@ -979,14 +979,20 @@ TLS Options
 
    .. versionadded:: 4.2
    
-   .. include:: /includes/TLS-SSL-certificates.rst
+   By default, the server bypasses client certificate validation unless 
+   the server is configured to use a CA file. If a CA file is provided, the 
+   following rules apply: 
 
-   For clients that present a certificate, however, ``mongos`` performs
-   certificate validation using the root certificate chain specified by
-   ``--tlsCAFile`` and reject clients with invalid certificates.
+   - .. include:: /includes/TLS-SSL-certificates.rst
+
+   - For clients that present a certificate, ``mongos`` performs
+     certificate validation using the root certificate chain specified by
+     :option:`--tlsCAFile <mongod --tlsCAFile>`  and reject clients with invalid 
+     certificates.
    
-   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have a mixed deployment that includes
-   clients that do not or cannot present certificates to the ``mongos``.
+   Use the :option:`--tlsAllowConnectionsWithoutCertificates` option if you have 
+   a mixed deployment that includes clients that do not or cannot present 
+   certificates to the ``mongos``.
    
    .. include:: /includes/extracts/tls-facts-see-more.rst
 
diff --git a/source/tutorial/configure-ssl.txt b/source/tutorial/configure-ssl.txt
@@ -13,7 +13,7 @@ Configure ``mongod`` and ``mongos`` for TLS/SSL
 .. contents:: On this page
    :local:
    :backlinks: none
-   :depth: 1
+   :depth: 2
    :class: singlecol
 
 Overview
@@ -80,6 +80,11 @@ members, it is advisable to use different certificates on different
 servers. This minimizes exposure of the private key and allows for
 hostname validation.
 
+.. note::
+
+   If a MongoDB deployment is not configured to use a CA file, it bypasses client 
+   certificate validation.
+
 .. [#FIPS]
 
    For FIPS mode, ensure that the certificate is FIPS-compliant (i.e
