DOCS-14322 init (#358)

ianf-mongodb · web-flow · commit d2abffa79cc8 · 2022-01-19T16:19:48.000-05:00
diff --git a/source/core/security-x.509.txt b/source/core/security-x.509.txt
@@ -55,6 +55,11 @@ is the :ref:`authentication-database` for the user.
 
 .. include:: /includes/extracts/sessions-external-username-limit.rst
 
+TLS Connection X509 Certificate Startup Warning
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-5.0-x509-certificate-client-warning.rst
+
 Member x.509 Certificates
 -------------------------
 
diff --git a/source/includes/fact-5.0-x509-certificate-client-warning.rst b/source/includes/fact-5.0-x509-certificate-client-warning.rst
@@ -0,0 +1,15 @@
+Starting in MongoDB 5.0, :binary:`mongod` and :binary:`mongos` now 
+issue a startup warning when their certificates do not include a 
+:term:`Subject Alternative Name` attribute.
+
+The following platforms do not support common name validation:
+
+- iOS 13 and higher
+- MacOS 10.15 and higher
+- Go 1.15 and higher
+
+Clients using these platforms will not
+:ref:`authenticate <x509-client-authentication>` to 
+MongoDB servers which use X.509 certificate whose hostnames are 
+:ref:`specified by CommonName attributes 
+<KMIP-subject-alternative-name-CN>`.
diff --git a/source/reference/glossary.txt b/source/reference/glossary.txt
@@ -946,6 +946,12 @@ Glossary
       :doc:`/core/storage-engines` for specific details on the built-in
       storage engines in MongoDB.
 
+   Subject Alternative Name
+      Subject Alternative Name (SAN) is an extension of the X.509 
+      certificate which allows an array of values such as IP addresses 
+      and domain names that specify which resources a single security 
+      certificate may secure.
+
    strict consistency
       A property of a distributed system requiring that all members
       always reflect the latest changes to the system. In a database
diff --git a/source/reference/program/mongod.txt b/source/reference/program/mongod.txt
@@ -3293,6 +3293,8 @@ Encryption Key Management Options
    which it can successfully establish a connection. KMIP server
    selection occurs only at startup.
 
+   .. _KMIP-subject-alternative-name-CN:
+
    When connecting to a KMIP server, the :binary:`~bin.mongod`
    verifies that the specified :option:`--kmipServerName` matches the
    Subject Alternative Name ``SAN`` (or, if ``SAN`` is not present, the
diff --git a/source/release-notes/5.0-compatibility.txt b/source/release-notes/5.0-compatibility.txt
@@ -317,6 +317,14 @@ When run against :binary:`~bin.mongos`, the ``shards`` field in the
 collection on a particular shard. Size values in the ``shards`` field
 are expressed as integers.
 
+Security
+--------
+
+TLS Connection X509 Certificate Startup Warning
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-5.0-x509-certificate-client-warning.rst
+
 Map-Reduce
 ----------
 
diff --git a/source/release-notes/5.0.txt b/source/release-notes/5.0.txt
@@ -563,6 +563,11 @@ MongoDB 5.0 introduces the :parameter:`opensslCipherSuiteConfig`
 parameter to enable configuration of the supported cipher suites OpenSSL
 should permit when using TLS 1.3 encryption.
 
+TLS Connection X509 Certificate Startup Warning
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: /includes/fact-5.0-x509-certificate-client-warning.rst
+
 .. _5.0-rel-notes-sharded-clusters:
 
 ApplyOps Privilege Action
