Configure Transport Layer Security (TLS)
On this page
Overview
In this guide, you can learn how to use the Transport Layer Security (TLS) protocol to secure your connection to a MongoDB deployment.
To connect to a MongoDB deployment using TLS, you must perform the following steps:
Enable a TLS connection in
Mongo::Client.Specify the client TLS certificate.
Specify the Certificate Authority (CA) certificate to verify the server's TLS certificate.
To learn how to configure your MongoDB deployment for TLS, see the TLS configuration guide in the MongoDB Server manual.
Note
This page assumes prior knowledge of TLS/SSL and access to valid certificates. A full description of TLS/SSL, PKI (Public Key Infrastructure) certificates, and CAs is beyond the scope of this documentation. To learn more about TLS, see the Wikipedia entry for Transport Layer Security.
Enable TLS
You can enable TLS for the connection to your MongoDB deployment in the following ways:
Set the
ssloption totruein a newMongo:Clientobject.Set the
tlsoption totruein your connection string.
Note
SSL Naming Convention
All MongoDB Server versions supported by the Ruby driver v2.6 and later implement only TLS. 2.6 and do not use SSL.
For historical reasons, the Ruby driver prefixes TLS options with ssl
instead of tls. Ruby driver version 3.0 and later will use the
tls prefix for Ruby option names.
To configure certificates, you must specify the following options:
ssl_cert: The certificate file used to verify the connection to a MongoDB deployment.ssl_key: The private keyfile used to verify the connection to a MongoDB deployment.ssl_ca_cert: The file containing the concatenated CA certificates used to validate certificates passed from the MongoDB deployment to the client. If you don't specify a value for this option, the driver uses the default system root certificate store as the trust anchor.
In the following example, the TLS certificate and corresponding private key are provided in separate files:
client = Mongo::Client.new(["<hostname>:<port>"], ssl: true, ssl_cert: 'path/to/client.crt', ssl_key: 'path/to/client.key', ssl_ca_cert: 'path/to/ca.crt' )
You can specify both the TLS certificate and private key in a single file, but
both the certificate and private key options must still be specified. In the
following example, the TLS certificate and the private key are both defined
in the same client.pem file:
client = Mongo::Client.new(["<hostname>:<port>"], ssl: true, ssl_cert: 'path/to/client.pem', ssl_key: 'path/to/client.pem', ssl_ca_cert: 'path/to/ca.crt', )
To configure certificates, you must specify the following URI options:
tlsCertificateKeyFile: The file that contains the certificate and keyfile used to verify the connection to a MongoDB deployment.tlsCAFile: The file containing the concatenated CA certificates used to validate certificates passed from the MongoDB deployment to the client. If you don't specify a value for this option, the driver uses the default system root certificate store as the trust anchor.
client = Mongo::Client.new( "mongodb://<hostname>:<port>/?tls=true&tlsCertificateKeyFile=path%2fto%2fclient.pem&tlsCAFile=path%2fto%2fca.crt")
The file containing the certificate and key usually has a``.crt`` or .pem
extension.
URI option values must be percent-encoded. This applies, for example,
to slashes (/) in the paths, which are encoded as %2f.
Specify Client TLS Certificates
The Ruby driver provides multiple options for you to specify the TLS certificate, key, and CA certificate with different data or object types.
TLS Certificate
You can provide one of the following options to specify the TLS certificate:
Option Name | Data/Object Type Accepted | Description |
|---|---|---|
|
| The certificate file path used to verify the connection to a MongoDB deployment. |
|
| The certificate object used to verify the connection to a MongoDB deployment. |
|
| A string containing the PEM-encoded certificate used to verify the connection to a MongoDB deployment. |
TLS Private Key
You can provide one of the following options to specify the TLS private key:
Option Name | Data/Object Type Accepted | Description |
|---|---|---|
|
| The private keyfile path used to verify the connection to a MongoDB deployment. |
|
| The private key object used to verify the connection to a MongoDB deployment. |
|
| A passphrase for the private key. |
|
| A string containing the PEM-encoded private key used to verify the connection to a MongoDB deployment. |
TLS CA Certificate
You can provide one of the following options to specify the TLS CA certificate:
Option Name | Data/Object Type Accepted | Description |
|---|---|---|
|
| The file path containing concatenated CA certificates used to validate certificates passed from the MongoDB deployment to the client. |
|
| An array of objects representing the CA certificates used to validate certificates passed from the MongoDB deployment to the client. |
|
| A string containing one PEM-encoded CA certificate used to validate certificates passed from the MongoDB deployment to the client. |
Modify the TLS Context
If your TLS configuration requires customization, you can set TLS context hooks
by adding a native Ruby Proc object to the Mongo.tls_context_hooks
array. Add the Proc object to the array before you create any Mongo::Client
instances.
The following code example enables the AES256-SHA cipher as the only cipher to be used for TLS:
Mongo.tls_context_hooks.push( Proc.new { |context| context.ciphers = ["AES256-SHA"] } )
The Ruby driver TLS context options are based on native Ruby handling of SSL. To learn more about the TLS context options available, see the Ruby documentation for SSLContext.
OCSP Verification
If the certificate provided by the server contains an OCSP endpoint URI, the driver issues an Online Certificate Status Protocol (OCSP) request to the specified endpoint by default to verify the validity of the certificate.
To disable the OCSP endpoint check, set the :ssl_verify_ocsp_endpoint
Ruby option to false or set the tlsDisableOCSPEndpointCheck URI option
to true when creating a client.
Note
JRuby Does Not Support OCSP Verification
Because JRuby does not correctly expose OCSP endpoint URIs, the driver does not check OCSP endpoints when the underlying application runs on JRuby.
Allow Insecure TLS
When TLS is enabled, the Ruby driver automatically verifies the certificate that the server presents. When testing your code, you can disable this verification. This is known as insecure TLS.
When insecure TLS is enabled, the driver requires only that the server present an X.509 certificate. The driver accepts a certificate even if any of the following are true:
The hostname of the server and the subject name (or subject alternative name) on the certificate don't match.
The certificate is expired or not yet valid.
The certificate doesn't have a trusted root certificate in the chain.
The certificate purpose isn't valid for server identification.
Note
Even when insecure TLS is enabled, communication between the client and server is encrypted with TLS.
To enable insecure TLS, set the sslVerify client option or the tlsInsecure
URI option to true:
client = Mongo::Client.new(["<hostname>:<port>"], ssl: true, ssl_verify: false )
client = Mongo::Client.new('mongodb://<hostname>:<port>/?tls=true&tlsInsecure=true')
You can similarly set the following options to disable verification for the certificate or hostname:
ssl_verify_certificate: Disable certificate validation by setting the option tofalse.ssl_verify_hostname: Disable hostname verification by setting the option tofalse.
tlsAllowInvalidCertificates: Disable certificate validation by setting the option totrue.tlsAllowInvalidHostnames: Disable hostname validation by setting the option totrue.
Warning
Don't Use Insecure TLS in Production
Always disable insecure TLS in production.
Enabling insecure TLS in a production environment makes your application insecure and potentially vulnerable to expired certificates and foreign processes posing as valid client instances.
API Documentation
For more information about any of the types and methods discussed in this guide, see the following API documentation: