1MONGOC_SSL_OPT_T(3)                libmongoc               MONGOC_SSL_OPT_T(3)
2
3
4

NAME

6       mongoc_ssl_opt_t - mongoc_ssl_opt_t
7

SYNOPSIS

9          typedef struct {
10             const char *pem_file;
11             const char *pem_pwd;
12             const char *ca_file;
13             const char *ca_dir;
14             const char *crl_file;
15             bool weak_cert_validation;
16             bool allow_invalid_hostname;
17             void *padding[7];
18          } mongoc_ssl_opt_t;
19

DESCRIPTION

21       This  structure is used to set the SSL options for a mongoc_client_t or
22       mongoc_client_pool_t.
23
24       Beginning in version 1.2.0, once a pool or client has any  SSL  options
25       set, all connections use SSL, even if ssl=true is omitted from the Mon‐
26       goDB URI. Before, SSL options were ignored unless ssl=true was included
27       in the URI.
28
29       As    of    1.4.0,   the   mongoc_client_pool_set_ssl_opts   and   mon‐
30       goc_client_set_ssl_opts will not only shallow copy the struct, but will
31       also  copy  the  const  char*. It is therefore no longer needed to make
32       sure the values remain valid after setting them.
33

CONFIGURATION THROUGH URI OPTIONS

35       Most of the configurable options can be using the Connection URI.
36
37                 ┌───────────────────────┬──────────────────────────┐
38mongoc_ssl_opt_t key   URI key                  
39                 ├───────────────────────┼──────────────────────────┤
40                 │pem_file               │ sslClientCertificateKey‐ │
41                 │                       │ File                     │
42                 ├───────────────────────┼──────────────────────────┤
43                 │pem_pwd                │ sslClientCertificateKey‐ │
44                 │                       │ Password                 │
45                 ├───────────────────────┼──────────────────────────┤
46                 │ca_file                │ sslCertificateAuthority‐ │
47                 │                       │ File                     │
48                 ├───────────────────────┼──────────────────────────┤
49                 │weak_cert_validation   │ sslAllowInvalidCertifi‐  │
50                 │                       │ cates                    │
51                 ├───────────────────────┼──────────────────────────┤
52                 │allow_invalid_hostname │ sslAllowInvalidHostnames │
53                 └───────────────────────┴──────────────────────────┘
54

CLIENT AUTHENTICATION

56       When MongoDB is started with SSL enabled, it will  by  default  require
57       the  client  to  provide  a  client certificate issued by a certificate
58       authority specified by --sslCAFile, or  an  authority  trusted  by  the
59       native certificate store in use on the server.
60
61       To provide the client certificate, the user must configure the pem_file
62       to point at a PEM armored certificate.
63
64          mongoc_ssl_opt_t ssl_opts = {0};
65
66          ssl_opts.pem_file = "/path/to/client-certificate.pem"
67
68          /* Then set the client ssl_opts, when using a single client mongoc_client_t */
69          mongoc_client_set_ssl_opts (client, &ssl_opts);
70
71          /* or, set the pool ssl_opts, when using a the thread safe mongoc_client_pool_t */
72          mongoc_client_pool_set_ssl_opts (pool, &ssl_opts);
73

SERVER CERTIFICATE VERIFICATION

75       The MongoDB C Driver will automatically  verify  the  validity  of  the
76       server certificate, such as issued by configured Certificate Authority,
77       hostname validation, and expiration.
78
79       To overwrite this behaviour, it is possible to disable hostname valida‐
80       tion,  and/or  allow  otherwise invalid certificates. This behaviour is
81       controlled using the  allow_invalid_hostname  and  weak_cert_validation
82       fields.  By  default,  both  are set to false. It is not recommended to
83       change these defaults as it exposes the client to  Man  In  The  Middle
84       attacks (when allow_invalid_hostname is set) and otherwise invalid cer‐
85       tificates when weak_cert_validation is set to true.
86

OPENSSL

88       The MongoDB C Driver uses OpenSSL, if  available,  on  Linux  and  Unix
89       platforms (besides macOS). Industry best practices and some regulations
90       require the use of TLS 1.1 or newer, which requires  at  least  OpenSSL
91       1.0.1. Check your OpenSSL version like so:
92
93          $ openssl version
94
95       Ensure  your  system's OpenSSL is a recent version (at least 1.0.1), or
96       install a recent version in a non-system  path  and  build  against  it
97       with:
98
99          cmake -DOPENSSL_ROOT_DIR=/absolute/path/to/openssl
100
101       When compiled against OpenSSL, the driver will attempt to load the sys‐
102       tem default certificate store, as configured by  the  distribution,  if
103       the ca_file and ca_dir are not set.
104

LIBRESSL / LIBTLS

106       The  MongoDB C Driver supports LibreSSL through the use of OpenSSL com‐
107       patibility checks when configured to compile against openssl.  It  also
108       supports  the  new  libtls  library  when  configured  to build against
109       libressl.
110

NATIVE TLS SUPPORT ON WINDOWS (SECURE CHANNEL)

112       The MongoDB C Driver supports the Windows native  TLS  library  (Secure
113       Channel, or SChannel), and its native crypto library (Cryptography API:
114       Next Generation, or CNG).
115
116       When compiled against the Windows native libraries, the  ca_dir  option
117       is not supported, and will issue an error if used.
118
119       Encrypted  PEM  files (e.g., requiring pem_pwd) are also not supported,
120       and will result in error when attempting to load them.
121
122       When ca_file is provided, the driver will only  allow  server  certifi‐
123       cates  issued  by  the  authority  (or  authorities)  provided. When no
124       ca_file is provided, the driver will look up the Certificate  Authority
125       using  the  System  Local Machine Root certificate store to confirm the
126       provided certificate.
127
128       When crl_file is provided, the driver will import the  revocation  list
129       to the System Local Machine Root certificate store.
130

NATIVE TLS SUPPORT ON MACOS / DARWIN (SECURE TRANSPORT)

132       The  MongoDB  C  Driver  supports  the  Darwin (OS X, macOS, iOS, etc.)
133       native TLS library (Secure Transport), and its  native  crypto  library
134       (Common Crypto, or CC).
135
136       When  compiled  against Secure Transport, the ca_dir option is not sup‐
137       ported, and will issue an error if used.
138
139       When ca_file is provided, the driver will only  allow  server  certifi‐
140       cates  issued  by  the  authority  (or  authorities)  provided. When no
141       ca_file is provided, the driver will use the Certificate Authorities in
142       the currently unlocked keychains.
143

SEE ALSO

145       · mongoc_client_set_ssl_opts
146
147       · mongoc_client_pool_set_ssl_opts
148

AUTHOR

150       MongoDB, Inc
151
153       2017-present, MongoDB, Inc
154
155
156
157
1581.16.2                           Feb 25, 2020              MONGOC_SSL_OPT_T(3)
Impressum