From 3b225c577d0e179eaf7bc3c8c3b71bff9cbc42f2 Mon Sep 17 00:00:00 2001
From: Isabella Siu <isabellasiu@Isabellas-MacBook.local>
Date: Wed, 19 Sep 2018 17:30:36 -0400
Subject: [PATCH] DOCS-11908 ssl -> tls stuff i forgot the first time

---
 source/includes/options-conf.yaml          | 218 ++++++++++++++++++++-
 source/includes/options-mongos.yaml        |  28 +++
 source/reference/configuration-options.txt |  73 ++++++-
 source/release-notes/4.2.txt               |   6 +-
 4 files changed, 316 insertions(+), 9 deletions(-)

diff --git a/source/includes/options-conf.yaml b/source/includes/options-conf.yaml
index 7111275b41f..1570184720e 100644
--- a/source/includes/options-conf.yaml
+++ b/source/includes/options-conf.yaml
@@ -597,6 +597,198 @@ description: |
    Enables or disables IPv6 support. :binary:`~bin.mongos` or
    :binary:`~bin.mongod` disables IPv6 support by default.
 
+---
+program: conf
+name: net.tls.mode
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  verb: "Enables"
+  directive: "setting"
+inherit:
+  name: tlsMode
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.certificateSelector
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  directive: "setting"
+  file: ":setting:`net.tls.PEMKeyFile`"
+inherit:
+  name: tlsCertificateSelector
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.clusterCertificateSelector
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  directive: "setting"
+  file: ":setting:`net.tls.clusterFile`"
+inherit:
+  name: tlsClusterCertificateSelector
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.PEMKeyFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.certificateSelector`"
+  
+inherit:
+  name: tlsPEMKeyFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.PEMKeyPassword
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  pemKeyOption: ":setting:`~net.tls.PEMKeyFile`"
+  selector: ":setting:`net.tls.certificateSelector`"
+inherit:
+  name: tlsPEMKeyPassword
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.clusterFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  pemKeyOption: ":setting:`~net.tls.PEMKeyFile`"
+  intro: "The"
+  directive: "setting"
+  selector: ":setting:`net.tls.clusterCertificateSelector`"
+  serverselector: ":setting:`net.tls.certificateSelector`"
+  
+inherit:
+  name: tlsClusterFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.clusterPassword
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.clusterCertificateSelector`"
+inherit:
+  name: tlsClusterPassword
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.CAFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.certificateSelector`"
+  
+inherit:
+  name: tlsCAFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.CRLFile
+type: string
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "The"
+  selector: ":setting:`net.tls.certificateSelector`"
+inherit:
+  name: tlsCRLFile
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.allowConnectionsWithoutCertificates
+type: boolean
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  old_name: "``net.tls.weakCertificateValidation``"
+  verb: "Enable or disable"
+  tlsCA_option: ":setting:`~net.tls.CAFile`"
+inherit:
+  name: tlsAllowConnectionsWithoutCertificates
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.allowInvalidCertificates
+type: boolean
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  verb: "Enable or disable"
+  setting: "``allowInvalidCertificates: true``"
+inherit:
+  name: tlsAllowInvalidCertificates
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.disabledProtocols
+type: string
+directive: setting
+inherit:
+  name: tlsDisabledProtocols
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.FIPSMode
+type: boolean
+directive: setting
+replacement:
+  program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
+  intro: "Enable or disable the use of"
+  setting_continuation: " for the {{program}}"
+inherit:
+  name: tlsFIPSMode
+  program: mongod
+  file: options-mongod.yaml
+---
+program: conf
+name: net.tls.allowInvalidHostnames
+directive: setting
+type: boolean
+default: false
+description: |
+  .. versionadded:: 3.0
+
+  When {{role}} is ``true``, MongoDB disables the validation of the
+  hostnames in TLS certificates, allowing {{program}} to connect to
+  MongoDB instances if the hostname their certificates do not match the
+  specified hostname.
+
+  .. include:: /includes/extracts/tls-facts-see-more.rst
+
+replacement:
+  program: ":binary:`~bin.mongod`"
+optional: true
 ---
 program: conf
 name: net.ssl.sslOnNormalPorts
@@ -605,7 +797,7 @@ directive: setting
 replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   verb: "Enable or disable"
-  alternative: ":setting:`net.ssl.mode: requireSSL <~net.ssl.mode>`"
+  alternative: ":setting:`net.tls.mode: requireTLS <net.tls.mode>`"
   option: ":setting:`net.port`"
 inherit:
   name: sslOnNormalPorts
@@ -618,8 +810,9 @@ type: string
 directive: setting
 replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
-  verb: "Enable or disable"
+  verb: "Enables"
   directive: "setting"
+  alternative: ":setting:`net.tls.mode`"
 inherit:
   name: sslMode
   program: mongod
@@ -633,6 +826,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   directive: "setting"
   file: ":setting:`net.ssl.PEMKeyFile`"
+  alternative: ":setting:`net.tls.certificateSelector`"
 inherit:
   name: sslCertificateSelector
   program: mongod
@@ -646,6 +840,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   directive: "setting"
   file: ":setting:`net.ssl.clusterFile`"
+  alternative: ":setting:`net.tls.clusterCertificateSelector`"
 inherit:
   name: sslClusterCertificateSelector
   program: mongod
@@ -659,7 +854,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.certificateSelector`"
-  
+  alternative: ":setting:`net.tls.PEMKeyFile`"
 inherit:
   name: sslPEMKeyFile
   program: mongod
@@ -674,6 +869,7 @@ replacement:
   intro: "The"
   pemKeyOption: ":setting:`~net.ssl.PEMKeyFile`"
   selector: ":setting:`net.ssl.certificateSelector`"
+  alternative: ":setting:`net.tls.PEMKeyPassword`"
 inherit:
   name: sslPEMKeyPassword
   program: mongod
@@ -690,7 +886,7 @@ replacement:
   directive: "setting"
   selector: ":setting:`net.ssl.clusterCertificateSelector`"
   serverselector: ":setting:`net.ssl.certificateSelector`"
-  
+  alternative: ":setting:`net.tls.clusterFile`"
 inherit:
   name: sslClusterFile
   program: mongod
@@ -704,6 +900,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.clusterCertificateSelector`"
+  alternative: ":setting:`net.tls.clusterPassword`"
 inherit:
   name: sslClusterPassword
   program: mongod
@@ -717,7 +914,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.certificateSelector`"
-  
+  alternative: ":setting:`net.tls.CAFile`"
 inherit:
   name: sslCAFile
   program: mongod
@@ -731,6 +928,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "The"
   selector: ":setting:`net.ssl.certificateSelector`"
+  alternative: ":setting:`net.tls.CRLFile`"
 inherit:
   name: sslCRLFile
   program: mongod
@@ -745,6 +943,7 @@ replacement:
   old_name: "``net.ssl.weakCertificateValidation``"
   verb: "Enable or disable"
   sslCA_option: ":setting:`~net.ssl.CAFile`"
+  alternative: ":setting:`net.tls.allowConnectionsWithoutCertificates`"
 inherit:
   name: sslAllowConnectionsWithoutCertificates
   program: mongod
@@ -758,6 +957,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   verb: "Enable or disable"
   setting: "``allowInvalidCertificates: true``"
+  alternative: ":setting:`net.tls.allowInvalidCertificates`"
 inherit:
   name: sslAllowInvalidCertificates
   program: mongod
@@ -767,6 +967,8 @@ program: conf
 name: net.ssl.disabledProtocols
 type: string
 directive: setting
+replacement:
+  alternative: ":setting:`net.tls.disabledProtocols`"
 inherit:
   name: sslDisabledProtocols
   program: mongod
@@ -780,6 +982,7 @@ replacement:
   program: ":binary:`~bin.mongos` or :binary:`~bin.mongod`"
   intro: "Enable or disable the use of"
   setting_continuation: " for the {{program}}"
+  alternative: ":setting:`net.tls.FIPSMode`"
 inherit:
   name: sslFIPSMode
   program: mongod
@@ -1649,6 +1852,10 @@ directive: setting
 type: boolean
 default: false
 description: |
+  ..deprecated:: 4.2
+
+  Use {{alternative}} instead.
+
   .. versionadded:: 3.0
 
   When {{role}} is ``true``, MongoDB disables the validation of the
@@ -1660,6 +1867,7 @@ description: |
 
 replacement:
   program: ":binary:`~bin.mongod`"
+  alternative: ":setting:`net.tls.allowInvalidHostnames`"
 optional: true
 ---
 program: conf
diff --git a/source/includes/options-mongos.yaml b/source/includes/options-mongos.yaml
index 3f214f3520d..7044bf88ac6 100644
--- a/source/includes/options-mongos.yaml
+++ b/source/includes/options-mongos.yaml
@@ -271,6 +271,8 @@ inherit:
   name: sslCertificateSelector
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsCertificateSelector <mongos --tlsCertificateSelector>`"
 ---
 program: mongos
 name: sslClusterCertificateSelector
@@ -278,6 +280,8 @@ inherit:
   name: sslClusterCertificateSelector
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsClusterCertificateSelector <mongos --tlsClusterCertificateSelector>`"
 ---
 program: mongos
 name: sslMode
@@ -285,6 +289,8 @@ inherit:
   name: sslMode
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsMode <mongos --tlsMode>`"
 ---
 program: mongos
 name: sslPEMKeyFile
@@ -292,6 +298,8 @@ inherit:
   name: sslPEMKeyFile
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsPEMKeyFile <mongos --tlsPEMKeyFile>`"
 ---
 program: mongos
 name: sslPEMKeyPassword
@@ -299,6 +307,8 @@ inherit:
   name: sslPEMKeyPassword
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsPEMKeyPassword <mongos --tlsPEMKeyPassword>`"
 ---
 program: mongos
 name: sslClusterFile
@@ -306,6 +316,8 @@ inherit:
   name: sslClusterFile
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsClusterFile <mongos --tlsClusterFile>`"
 ---
 program: mongos
 name: sslClusterPassword
@@ -313,6 +325,8 @@ inherit:
   name: sslClusterPassword
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsClusterPassword <mongos --tlsClusterPassword>`"
 ---
 program: mongos
 name: sslCAFile
@@ -320,6 +334,8 @@ inherit:
   name: sslCAFile
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsCAFile <mongos --tlsCAFile>`"
 ---
 program: mongos
 name: sslCRLFile
@@ -327,6 +343,8 @@ inherit:
   name: sslCRLFile
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsCRLFile <mongos --tlsCRLFile>`"
 ---
 program: mongos
 name: sslAllowInvalidCertificates
@@ -334,6 +352,8 @@ inherit:
   name: sslAllowInvalidCertificates
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsAllowInvalidCertificates <mongos --tlsAllowInvalidCertificates>`"
 ---
 program: mongos
 name: sslAllowInvalidHostnames
@@ -341,6 +361,8 @@ inherit:
   name: sslAllowInvalidHostnames
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsAllowInvalidHostnames <mongos --tlsAllowInvalidHostnames>`"
 ---
 program: mongos
 name: sslAllowConnectionsWithoutCertificates
@@ -348,6 +370,8 @@ inherit:
   name: sslAllowConnectionsWithoutCertificates
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsAllowConnectionsWithoutCertificates <mongos --tlsAllowConnectionsWithoutCertificates>`"
 ---
 program: mongos
 name: sslDisabledProtocols
@@ -355,6 +379,8 @@ inherit:
   name: sslDisabledProtocols
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsDisabledProtocols <mongos --tlsDisabledProtocols>`"
 ---
 program: mongos
 name: sslFIPSMode
@@ -362,6 +388,8 @@ inherit:
   name: sslFIPSMode
   program: mongod
   file: options-mongod.yaml
+replacement:
+  alternative: ":option:`--tlsFIPSMode <mongos --tlsFIPSMode>`"
 ---
 program: mongos
 name: tlsCertificateSelector
diff --git a/source/reference/configuration-options.txt b/source/reference/configuration-options.txt
index ab91823f024..713e89ef1c6 100644
--- a/source/reference/configuration-options.txt
+++ b/source/reference/configuration-options.txt
@@ -256,6 +256,11 @@ Core Options
 ``net`` Options
 ~~~~~~~~~~~~~~~
 
+.. versionchanged:: 4.2
+
+   MongoDB 4.2 deprecates ``ssl`` options in favor of ``tls`` options with
+   identical functionality. 
+
 .. code-block:: yaml
 
    net:
@@ -269,8 +274,7 @@ Core Options
          enabled: <boolean>
          pathPrefix: <string>
          filePermissions: <int>
-      ssl:
-         sslOnNormalPorts: <boolean>  # deprecated since 2.6
+      tls:
          certificateSelector: <string>
          clusterCertificateSelector: <string>
          mode: <string>
@@ -325,10 +329,75 @@ Core Options
 
 .. include:: /includes/warning-http-interface.rst
 
+.. _net-tls-conf-options:
+
+``net.tls`` Options
+```````````````````
+
+.. versionadded:: 4.2
+
+   MongoDB 4.2 adds ``tls`` options with identical functionality as the previous
+   ``ssl`` options. 
+
+.. code-block:: yaml
+
+   net:
+      tls:
+         mode: <string>
+         PEMKeyFile: <string>
+         PEMKeyPassword: <string>
+         certificateSelector: <string>
+         clusterCertificateSelector: <string>
+         clusterFile: <string>
+         clusterPassword: <string>
+         CAFile: <string>
+         CRLFile: <string>
+         allowConnectionsWithoutCertificates: <boolean>
+         allowInvalidCertificates: <boolean>
+         allowInvalidHostnames: <boolean>
+         disabledProtocols: <string>
+         FIPSMode: <boolean>
+
+.. include:: /includes/option/setting-conf-net.tls.mode.rst
+
+.. include:: /includes/option/setting-conf-net.tls.PEMKeyFile.rst
+
+.. include:: /includes/option/setting-conf-net.tls.PEMKeyPassword.rst
+
+.. include:: /includes/option/setting-conf-net.tls.certificateSelector.rst
+
+.. include:: /includes/option/setting-conf-net.tls.clusterCertificateSelector.rst
+
+.. include:: /includes/option/setting-conf-net.tls.clusterFile.rst
+
+.. include:: /includes/option/setting-conf-net.tls.clusterPassword.rst
+
+.. include:: /includes/option/setting-conf-net.tls.CAFile.rst
+
+.. include:: /includes/option/setting-conf-net.tls.CRLFile.rst
+
+.. include:: /includes/option/setting-conf-net.tls.allowConnectionsWithoutCertificates.rst
+
+.. include:: /includes/option/setting-conf-net.tls.allowInvalidCertificates.rst
+
+.. include:: /includes/option/setting-conf-net.tls.allowInvalidHostnames.rst
+
+.. include:: /includes/option/setting-conf-net.tls.disabledProtocols.rst
+
+.. include:: /includes/option/setting-conf-net.tls.FIPSMode.rst
+
+.. _net-ssl-conf-options:
 
 ``net.ssl`` Options
 ```````````````````
 
+.. important:: 
+
+   All SSL options are deprecated since 4.2. Use the :ref:`TLS counterparts 
+   <net-tls-conf-options>` instead, as they have identical functionality to the 
+   SSL options.  The SSL protocol is deprecated and MongoDB supports TLS 1.0 
+   and later.
+
 .. code-block:: yaml
 
    net:
diff --git a/source/release-notes/4.2.txt b/source/release-notes/4.2.txt
index 8a68e65e0a6..0d84ace8f9b 100644
--- a/source/release-notes/4.2.txt
+++ b/source/release-notes/4.2.txt
@@ -97,7 +97,8 @@ Deprecate ``SSL`` Options
 MongoDB 4.2 deprecates the ``SSL`` options for :binary:`~bin.mongod` and
 :binary:`~bin.mongos` in favor of equivalent ``TLS`` versions. The 
 deprecated options can be found under :ref:`SSL Options for mongod 
-<ssl-mongod-options>`.
+<ssl-mongod-options>` for the command-line options and under
+:ref:`net-ssl-conf-options` for the configuration file options.
 
 General Improvements
 --------------------
@@ -116,7 +117,8 @@ MongoDB 4.2 adds ``TLS`` options for :binary:`~bin.mongod` and
 :binary:`~bin.mongos` to replace deprecated ``SSL`` versions.  These
 options are identical to the ``SSL`` options, as MongoDB has always
 supported TLS 1.0 and later. The new options can be found under 
-:ref:`TLS Options for mongod <tls-mongod-options>`.
+:ref:`TLS Options for mongod <tls-mongod-options>` for the command-line options
+and under :ref:`net-tls-conf-options` for the configuration file options.
 
 Changes Affecting Compatibility
 -------------------------------