Skip to content

Commit

Permalink
NODE-929 Update SSL tutorial to correctly reflect the non-need for se…
Browse files Browse the repository at this point in the history 
…rver/mongos/replset subobjects
  • Loading branch information
@christkv
christkv committed Feb 10, 2017
1 parent 7832ca9 commit 38c037c
Showing 1 changed file with 28 additions and 61 deletions.
89 changes: 28 additions & 61 deletions docs/reference/content/tutorials/connect/ssl.md
View file
Expand Up @@ -13,7 +13,6 @@ title = "SSL Settings"
The Node.js driver supports TLS/SSL connections to MongoDB that support TLS/SSL support.

## No Certificate Validation

If the MongoDB instance does not perform any validation of the certificate chain, include the `ssl=true` in the [URI Connection String ](https://docs.mongodb.org/manual/reference/connection-string/).

```js
Expand All @@ -22,16 +21,14 @@ var MongoClient = require('mongodb').MongoClient;
MongoClient.connect("mongodb://localhost:27017/test?ssl=true", function(err, db) {
db.close();
});

```

## Validate Server Certificate

If the MongoDB instance presents a certificate, to validate the server's certificate, pass to the `MongoClient.connect` method:

- A [URI Connection String ](https://docs.mongodb.org/manual/reference/connection-string/) that includes `ssl=true` setting,

- A connections options for the `server` with the certificate for the Certificate Authority (`sslCA`) and the `sslValidate` setting set to `true`
- A connections options with the certificate for the Certificate Authority (`sslCA`) and the `sslValidate` setting set to `true`

```js
var MongoClient = require('mongodb').MongoClient,
Expand All @@ -43,23 +40,20 @@ var ca = [fs.readFileSync(__dirname + "/ssl/ca.pem")];

// Connect validating the returned certificates from the server
MongoClient.connect("mongodb://localhost:27017/test?ssl=true", {
server: {
sslValidate:true
, sslCA:ca
}
sslValidate:true,
sslCA:ca
}, function(err, db) {
db.close();
});
```

## Disable Hostname Verification

By default, the driver ensures that the hostname included in the
server's SSL certificate(s) matches the hostname(s) provided in the URI connection string. If you need to disable the hostname verification, but otherwise validate the server's certificate, pass to the `MongoClient.connect` method:

- A [URI Connection String ](https://docs.mongodb.org/manual/reference/connection-string/) that includes `ssl=true` setting,

- A connections options for the `server` with the certificate for the Certificate Authority (`sslCA`) and the `sslValidate` setting set to `true` but `checkServerIdentity` set to `false`.
- A connections options with the certificate for the Certificate Authority (`sslCA`) and the `sslValidate` setting set to `true` but `checkServerIdentity` set to `false`.

```js
var MongoClient = require('mongodb').MongoClient,
Expand All @@ -71,24 +65,21 @@ var ca = [fs.readFileSync(__dirname + "/ssl/ca.pem")];

// Connect validating the returned certificates from the server
MongoClient.connect("mongodb://localhost:27017/test?ssl=true", {
server: {
sslValidate:true
, checkServerIdentity:false
, sslCA:ca
}
sslValidate:true,
checkServerIdentity:false,
sslCA:ca
}, function(err, db) {
db.close();
});
```

## Validate Server Certificate and Present Valid Certificate

If the MongoDB server performs certificate validation, the client must pass its
certificate to the server. To pass the client's certificate as well as to validate the server's certificate, pass to the `MongoClient.connect` method:

- A [URI Connection String ](https://docs.mongodb.org/manual/reference/connection-string/) that includes `ssl=true` setting,

- A connections options for the `server` with the `sslValidate` setting set to `true`, the certificate for the Certificate Authority (`sslCA`), the client's certificate (`sslCert`) and private key file (`sslKey`). If the client's key file is encrypted, include the password (`sslPass`).
- A connections options with the `sslValidate` setting set to `true`, the certificate for the Certificate Authority (`sslCA`), the client's certificate (`sslCert`) and private key file (`sslKey`). If the client's key file is encrypted, include the password (`sslPass`).

```js
var MongoClient = require('mongodb').MongoClient,
Expand All @@ -102,27 +93,23 @@ var key = fs.readFileSync(__dirname + "/ssl/client.pem");

// Connect validating the returned certificates from the server
MongoClient.connect("mongodb://localhost:27017/test?ssl=true", {
server: {
sslValidate:true
, sslCA:ca
, sslKey:key
, sslCert:cert
, sslPass:'10gen'
}
sslValidate:true,
sslCA:ca,
sslKey:key,
sslCert:cert,
sslPass:'10gen',
}, function(err, db) {
db.close();
});

```

## Connect with X.509

[X.509](http://docs.mongodb.org/manual/core/authentication/#x-509-certificate-authentication) authentication requires the use of TLS/SSL connections with certificate validation. MongoDB uses the X.509 certificate presented during SSL negotiation to authenticate a user whose name is derived from the distinguished name of the X.509 certificate.

To connect using the X.509 authentication mechanism, specify `MONGODB-CR` as the mechanism in the [URI connection string](https://docs.mongodb.org/manual/reference/connection-string/), `ssl=true`, and the username. Use `enodeURIComponent` to encode the username string.

In addition to the connection string, pass to the `MongoClient.connect` method
a connections options for the `server` with the X.509 certificate and other [TLS/SSL connections]({{< relref "tutorials/connect/ssl.md" >}}) options.
a connections options with the X.509 certificate and other [TLS/SSL connections]({{< relref "reference/connecting/connection-settings.md" >}}) options.

```js
var MongoClient = require('mongodb').MongoClient,
Expand All @@ -139,14 +126,11 @@ var userName = "CN=client,OU=kerneluser,O=10Gen,L=New York City,ST=New York,C=US
// Connect using the MONGODB-X509 authentication mechanism
MongoClient.connect(f('mongodb://%s@server:27017/test?authMechanism=%s&ssl=true'
, encodeURIComponent(userName), 'MONGODB-X509'), {
server: {
sslKey:key
, sslCert:cert
}
sslKey:key,
sslCert:cert,
}, function(err, db) {
db.close();
});

```

## TLS/SSL Options
Expand All @@ -161,79 +145,62 @@ The following TLS/SSL options are available.
| `sslCert` | {Buffer\|string, default: null} | String or buffer containing the client certificate. |
| `sslPass` | {Buffer\|string, default: null} | String or buffer containing the client certificate password. |

To connect to a single MongoDB instance, specify the TLS/SSL connection options for `server`.

To connect to a single MongoDB instance, specify the TLS/SSL connection options.

```js

var MongoClient = require('mongodb').MongoClient,
fs = require('fs');


// Read the certificates

var ca = [fs.readFileSync(__dirname + "/ssl/ca.pem")];
var cert = fs.readFileSync(__dirname + "/ssl/client.pem");
var key = fs.readFileSync(__dirname + "/ssl/client.pem");

MongoClient.connect('mongodb://server:27017/test?ssl=true', {
server: {
sslCA:ca
, sslKey:key
, sslCert:cert
}
sslCA:ca,
sslKey:key,
sslCert:cert,
}, function(err, db) {
db.close();
});

```


To connect to a replica set, specify the TLS/SSL connection options for `replset` .
To connect to a replica set, specify the TLS/SSL connection options.

```js
var MongoClient = require('mongodb').MongoClient,
fs = require('fs');

// Read the certificates

var ca = [fs.readFileSync(__dirname + "/ssl/ca.pem")];
var cert = fs.readFileSync(__dirname + "/ssl/client.pem");
var key = fs.readFileSync(__dirname + "/ssl/client.pem");


MongoClient.connect('mongodb://server:27017/test?replicaSet=foo&ssl=true', {
replset: {
sslCA:ca
, sslKey:key
, sslCert:cert
}
sslCA:ca,
sslKey:key,
sslCert:cert,
}, function(err, db) {
db.close();
});

```

To connect to a replica set, specify the TLS/SSL connection options for `mongos`.
To connect to a mongos we pass in the options at the top level, just as for replicasets and single server connections.

```js
var MongoClient = require('mongodb').MongoClient,
fs = require('fs');

// Read the certificates

var ca = [fs.readFileSync(__dirname + "/ssl/ca.pem")];
var cert = fs.readFileSync(__dirname + "/ssl/client.pem");
var key = fs.readFileSync(__dirname + "/ssl/client.pem");

MongoClient.connect('mongodb://server:27017/test?ssl=true', {
mongos: {
sslCA:ca
, sslKey:key
, sslCert:cert
}
sslCA:ca,
sslKey:key,
sslCert:cert,
}, function(err, db) {
db.close();
});

```

0 comments on commit 38c037c

Please sign in to comment.