SERVER-41490 Disable OP_MSG checksums for TLS connections

3 files changed, 8 insertions, 0 deletions

diff --git a/src/mongo/transport/SConscript b/src/mongo/transport/SConscript
index 71e8c4f0f2b..c1ee167dbce 100644
--- a/src/mongo/transport/SConscript
+++ b/src/mongo/transport/SConscript
@@ -178,6 +178,7 @@ env.Library(
     LIBDEPS_PRIVATE=[
         '$BUILD_DIR/mongo/db/traffic_recorder',
         '$BUILD_DIR/mongo/transport/message_compressor',
+        '$BUILD_DIR/mongo/util/net/ssl_manager',
     ],
 )
 
diff --git a/src/mongo/transport/service_state_machine.cpp b/src/mongo/transport/service_state_machine.cpp
index 8e751d9327c..0d24952f13d 100644
--- a/src/mongo/transport/service_state_machine.cpp
+++ b/src/mongo/transport/service_state_machine.cpp
@@ -469,7 +469,13 @@ void ServiceStateMachine::_processMessage(ThreadGuard guard) {
         toSink.header().setId(nextMessageId());
         toSink.header().setResponseToMsgId(_inMessage.header().getId());
         if (OpMsg::isFlagSet(_inMessage, OpMsg::kChecksumPresent)) {
+#ifdef MONGO_CONFIG_SSL
+            if (!SSLPeerInfo::forSession(_session()).isTLS) {
+                OpMsg::appendChecksum(&toSink);
+            }
+#else
             OpMsg::appendChecksum(&toSink);
+#endif
         }
 
         // If the incoming message has the exhaust flag set and is a 'getMore' command, then we
diff --git a/src/mongo/transport/service_state_machine.h b/src/mongo/transport/service_state_machine.h
index ea14b49b71d..a48f4db321d 100644
--- a/src/mongo/transport/service_state_machine.h
+++ b/src/mongo/transport/service_state_machine.h
@@ -45,6 +45,7 @@
 #include "mongo/transport/service_executor_task_names.h"
 #include "mongo/transport/session.h"
 #include "mongo/transport/transport_mode.h"
+#include "mongo/util/net/ssl_manager.h"
 
 namespace mongo {