mongodb · kay-kim · Sep 27, 2018 · Sep 19, 2018
diff --git a/source/includes/options-conf.yaml b/source/includes/options-conf.yaml
@@ -597,6 +597,198 @@ description: |
    Enables or disables IPv6 support. :binary:`~bin.mongos` or
    :binary:`~bin.mongod` disables IPv6 support by default.
 
+---
+program: conf
+name: net.tls.mode
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  verb: "Enables"
+  directive: "setting"
+inherit:
+  name: tlsMode
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.certificateSelector
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  directive: "setting"
+  file: ":setting:`net.tls.PEMKeyFile`"
+inherit:
+  name: tlsCertificateSelector
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.clusterCertificateSelector
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  directive: "setting"
+  file: ":setting:`net.tls.clusterFile`"
+inherit:
+  name: tlsClusterCertificateSelector
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.PEMKeyFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.certificateSelector`"
+
+inherit:
+  name: tlsPEMKeyFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.PEMKeyPassword
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  pemKeyOption: ":setting:`~net.tls.PEMKeyFile`"
+  selector: ":setting:`net.tls.certificateSelector`"
+inherit:
+  name: tlsPEMKeyPassword
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.clusterFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  pemKeyOption: ":setting:`~net.tls.PEMKeyFile`"
+  intro: "The"
+  directive: "setting"
+  selector: ":setting:`net.tls.clusterCertificateSelector`"
+  serverselector: ":setting:`net.tls.certificateSelector`"
+
+inherit:
+  name: tlsClusterFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.clusterPassword
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.clusterCertificateSelector`"
+inherit:
+  name: tlsClusterPassword
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.CAFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.certificateSelector`"
+
+inherit:
+  name: tlsCAFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.CRLFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.certificateSelector`"
+inherit:
+  name: tlsCRLFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.allowConnectionsWithoutCertificates
+type: boolean
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  old_name: "``net.tls.weakCertificateValidation``"
+  verb: "Enable or disable"
+  tlsCA_option: ":setting:`~net.tls.CAFile`"
+inherit:
+  name: tlsAllowConnectionsWithoutCertificates
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.allowInvalidCertificates
+type: boolean
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  verb: "Enable or disable"
+  setting: "``allowInvalidCertificates: true``"
+inherit:
+  name: tlsAllowInvalidCertificates
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.disabledProtocols
+type: string
+directive: setting
+inherit:
+  name: tlsDisabledProtocols
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.FIPSMode
+type: boolean
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "Enable or disable the use of"
+  setting_continuation: " for the {{program}}"
+inherit:
+  name: tlsFIPSMode
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.allowInvalidHostnames
+directive: setting
+type: boolean
+default: false
+description: |
+  .. versionadded:: 3.0
+
+  When {{role}} is ``true``, MongoDB disables the validation of the
+  hostnames in TLS certificates, allowing {{program}} to connect to
+  MongoDB instances if the hostname their certificates do not match the
+  specified hostname.
+
+  .. include:: /includes/extracts/tls-facts-see-more.rst
+
+replacement:
+  program: ":binary:`~bin.mongod`"
+optional: true
 ---
 program: conf
 name: net.ssl.sslOnNormalPorts
@@ -605,7 +797,7 @@ directive: setting
 replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   verb: "Enable or disable"
-  alternative: ":setting:`net.ssl.mode: requireSSL <~net.ssl.mode>`"
+  alternative: ":setting:`net.tls.mode: requireTLS <net.tls.mode>`"
   option: ":setting:`net.port`"
 inherit:
   name: sslOnNormalPorts
@@ -618,8 +810,9 @@ type: string
 directive: setting
 replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
-  verb: "Enable or disable"
+  verb: "Enables"
   directive: "setting"
+  alternative: ":setting:`net.tls.mode`"
 inherit:
   name: sslMode
   program: mongod
@@ -633,6 +826,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   directive: "setting"
   file: ":setting:`net.ssl.PEMKeyFile`"
+  alternative: ":setting:`net.tls.certificateSelector`"
 inherit:
   name: sslCertificateSelector
   program: mongod
@@ -646,6 +840,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   directive: "setting"
   file: ":setting:`net.ssl.clusterFile`"
+  alternative: ":setting:`net.tls.clusterCertificateSelector`"
 inherit:
   name: sslClusterCertificateSelector
   program: mongod
@@ -659,7 +854,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.certificateSelector`"
-
+  alternative: ":setting:`net.tls.PEMKeyFile`"
 inherit:
   name: sslPEMKeyFile
   program: mongod
@@ -674,6 +869,7 @@ replacement:
   intro: "The"
   pemKeyOption: ":setting:`~net.ssl.PEMKeyFile`"
   selector: ":setting:`net.ssl.certificateSelector`"
+  alternative: ":setting:`net.tls.PEMKeyPassword`"
 inherit:
   name: sslPEMKeyPassword
   program: mongod
@@ -690,7 +886,7 @@ replacement:
   directive: "setting"
   selector: ":setting:`net.ssl.clusterCertificateSelector`"
   serverselector: ":setting:`net.ssl.certificateSelector`"
-
+  alternative: ":setting:`net.tls.clusterFile`"
 inherit:
   name: sslClusterFile
   program: mongod
@@ -704,6 +900,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.clusterCertificateSelector`"
+  alternative: ":setting:`net.tls.clusterPassword`"
 inherit:
   name: sslClusterPassword
   program: mongod
@@ -717,7 +914,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.certificateSelector`"
-
+  alternative: ":setting:`net.tls.CAFile`"
 inherit:
   name: sslCAFile
   program: mongod
@@ -731,6 +928,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.certificateSelector`"
+  alternative: ":setting:`net.tls.CRLFile`"
 inherit:
   name: sslCRLFile
   program: mongod
@@ -745,6 +943,7 @@ replacement:
   old_name: "``net.ssl.weakCertificateValidation``"
   verb: "Enable or disable"
   sslCA_option: ":setting:`~net.ssl.CAFile`"
+  alternative: ":setting:`net.tls.allowConnectionsWithoutCertificates`"
 inherit:
   name: sslAllowConnectionsWithoutCertificates
   program: mongod
@@ -758,6 +957,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   verb: "Enable or disable"
   setting: "``allowInvalidCertificates: true``"
+  alternative: ":setting:`net.tls.allowInvalidCertificates`"
 inherit:
   name: sslAllowInvalidCertificates
   program: mongod
@@ -767,6 +967,8 @@ program: conf
 name: net.ssl.disabledProtocols
 type: string
 directive: setting
+replacement:
+  alternative: ":setting:`net.tls.disabledProtocols`"
 inherit:
   name: sslDisabledProtocols
   program: mongod
@@ -780,6 +982,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "Enable or disable the use of"
   setting_continuation: " for the {{program}}"
+  alternative: ":setting:`net.tls.FIPSMode`"
 inherit:
   name: sslFIPSMode
   program: mongod
@@ -1649,6 +1852,10 @@ directive: setting
 type: boolean
 default: false
 description: |
+  ..deprecated:: 4.2
+
+  Use {{alternative}} instead.
+
   .. versionadded:: 3.0
 
   When {{role}} is ``true``, MongoDB disables the validation of the
@@ -1660,6 +1867,7 @@ description: |
 
 replacement:
   program: ":binary:`~bin.mongod`"
+  alternative: ":setting:`net.tls.allowInvalidHostnames`"
 optional: true
 ---
 program: conf