2 files changed, 18 insertions, 12 deletions

diff --git a/src/mongo/db/db.cpp b/src/mongo/db/db.cpp
index 8892928177d..107de1fd660 100644
--- a/src/mongo/db/db.cpp
+++ b/src/mongo/db/db.cpp
@@ -378,18 +378,6 @@ ExitCode _initAndListen(int listenPort) {
 
     logMongodStartupWarnings(storageGlobalParams, serverGlobalParams, serviceContext);
 
-#ifdef MONGO_CONFIG_SSL
-    if (sslGlobalParams.sslAllowInvalidCertificates &&
-        ((serverGlobalParams.clusterAuthMode.load() == ServerGlobalParams::ClusterAuthMode_x509) ||
-         sequenceContains(saslGlobalParams.authenticationMechanisms, "MONGODB-X509"))) {
-        log() << "** WARNING: While invalid X509 certificates may be used to" << startupWarningsLog;
-        log() << "**          connect to this server, they will not be considered"
-              << startupWarningsLog;
-        log() << "**          permissible for authentication." << startupWarningsLog;
-        log() << startupWarningsLog;
-    }
-#endif
-
     {
         std::stringstream ss;
         ss << endl;
diff --git a/src/mongo/db/startup_warnings_common.cpp b/src/mongo/db/startup_warnings_common.cpp
index 0cd52f78199..31a8b6c04b8 100644
--- a/src/mongo/db/startup_warnings_common.cpp
+++ b/src/mongo/db/startup_warnings_common.cpp
@@ -81,6 +81,24 @@ void logCommonStartupWarnings(const ServerGlobalParams& serverParams) {
         warned = true;
     }
 
+#ifdef MONGO_CONFIG_SSL
+    if (sslGlobalParams.sslAllowInvalidCertificates) {
+        log() << "** WARNING: While invalid X509 certificates may be used to" << startupWarningsLog;
+        log() << "**          connect to this server, they will not be considered"
+              << startupWarningsLog;
+        log() << "**          permissible for authentication." << startupWarningsLog;
+        log() << startupWarningsLog;
+    }
+
+    if (sslGlobalParams.sslAllowInvalidHostnames) {
+        log() << "** WARNING: This server will not perform X.509 hostname validation"
+              << startupWarningsLog;
+        log() << "** This may allow your server to make or accept connections to"
+              << startupWarningsLog;
+        log() << "** untrusted parties" << startupWarningsLog;
+    }
+#endif
+
     /*
     * We did not add the message to startupWarningsLog as the user can not
     * specify a sslCAFile parameter from the shell