Critical Description
Client certs cannot be set to mandatory when node to node encryption is set to all. This is described a bit in this patch: http://review.couchbase.org/c/ns_server/+/109601/.
The reason for this limitation is that, mandatory client certs and node-to-node encryption set to all mean that internal access within the server would require clients certs and this is not currently supported. E.g. when ns_server connects to memcached (across node) ns_server would need a cert, when query connects to indexing it would need a cert, etc. This would need to work with user supplied certs, which would create additional complications.
Essentially it's a limitation that at some point we'd like to remove, it just can't be done now.
Enabling mandatory client certs is talked about on this page: https://docs.couchbase.com/server/current/manage/manage-security/enable-client-certificate-handling.html#enable-client-certificate-handling-with-the-ui.
The docs say:
Mandatory: Specifies that all clients must present a certificate, in order to authenticate. No other form of client-authentication is handled over the secure connection. Note that imposing this level of security likely requires the additional measure of disabling non-secure console access: see Manage Console Access.
We should add something like as follows:
A current limitation is that mandatory client certs cannot be enabled is node-to-node encryption is set to all.