Remove tlsAllowInvalidCertificates option (#325)

## Issue Security team requests to terminate the use of the `tlsAllowInvalidCertificates ` flag
canonical · Jan 19, 2024 · 36c0612 · 36c0612
1 parent 678f839
commit 36c0612
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/charms/mongodb/v1/helpers.py b/lib/charms/mongodb/v1/helpers.py
@@ -174,7 +174,8 @@ def get_mongod_args(
                 f"--tlsCAFile={full_conf_dir}/{TLS_EXT_CA_FILE}",
                 f"--tlsCertificateKeyFile={full_conf_dir}/{TLS_EXT_PEM_FILE}",
                 # allow non-TLS connections
-                "--tlsMode=preferTLS",
+                "--tlsMode=requireTLS",
+                "--tlsDisabledProtocols=TLS1_0,TLS1_1",
             ]
         )
 
@@ -183,7 +184,6 @@ def get_mongod_args(
         cmd.extend(
             [
                 "--clusterAuthMode=x509",
-                "--tlsAllowInvalidCertificates",
                 f"--tlsClusterCAFile={full_conf_dir}/{TLS_INT_CA_FILE}",
                 f"--tlsClusterFile={full_conf_dir}/{TLS_INT_PEM_FILE}",
             ]