TLS/SSL (Transport Encryption)

TLS/SSL

MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer)to encrypt all of MongoDB’s network traffic. TLS/SSL ensures that MongoDBnetwork traffic is only readable by the intended client.

TLS Versions

Starting in version 4.0, MongoDB disables support for TLS 1.0encryption on systems where TLS 1.1+ is available. Formore details, see Disable TLS 1.0.

TLS Libraries

Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries:

WindowsSecure Channel (Schannel)
Linux/BSDOpenSSL
macOSSecure Transport

TLS/SSL Ciphers

MongoDB’s TLS/SSL encryption only allows use of strong TLS/SSL cipherswith a minimum of 128-bit key length for all connections.

Forward Secrecy

Forward Secrecy cipher suites create an ephemeral session key that isprotected by the server’s private key but is never transmitted. The useof an ephemeral key ensures that even if a server’s private key iscompromised, you cannot decrypt past sessions with the compromised key.

MongoDB supports Forward Secrecy cipher suites that use EphemeralDiffie-Hellman (DHE) and Ephemeral Elliptic Curve Diffie-Hellman(ECDHE) algorithms.

Ephemeral Elliptic Curve Diffie-Hellman (ECDHE)

LinuxStarting in version 4.2- If the Linux platform’s OpenSSL supports automatic curveselection, MongoDB enables support forEphemeral Elliptic Curve Diffie-Hellman (ECDHE).- Else if the Linux platform’s OpenSSL does not supportautomatic curve selection, MongoDB attemptsto enable ECDHE support using prime256v1 as the namedcurve .Starting in 3.6.14 and 4.0.3- MongoDB enables support for Ephemeral Elliptic CurveDiffie-Hellman (ECDHE) if, during compile time, the Linuxplatform’s OpenSSL supports automatic curve selection.NoteIf support for ECDHE is enabled, MongoDB 4.2+ attempts toenable support for Ephemeral Diffie-Hellman (DHE) if Ephemeral Diffie-Hellman (DHE) is not explicitlyenabled. See Ephemeral Diffie-Hellman (DHE) for details.
WindowsStarting in version 4.0, Ephemeral Elliptic CurveDiffie-Hellman (ECDHE) is implicitly supported through the useof Secure Channel (Schannel), the native TLS/SSL OS libraries.
macOSStarting in version 4.0, Ephemeral Elliptic Curve Diffie-Hellman(ECDHE) is implicitly supported through the use of SecureTransport, the native TLS/SSL OS libraries.

ECDHE cipher suites are slower than static RSA cipher suites. Forbetter performance with ECDHE, you can use certificates that useElliptic Curve Digital Signature Algorithm (ECDSA). See alsoForward Secrecy Performance for more information

Ephemeral Diffie-Hellman (DHE)

LinuxStarting in version 4.2: MongoDB enables support forEphemeral Diffie-Hellman (DHE):- If the opensslDiffieHellmanParameters is set atstartup (regardless of whether ECDHE is enabledor disabled).- Else, if the opensslDiffieHellmanParametersparameter is unset but if ECDHE is enabled,MongoDB enables DHE using the ffdhe3072 parameter, asdefined in RFC 7919#appendix-A.2.For versions 3.6 and 4.0, MongoDB enables support forEphemeral Diffie-Hellman (DHE):- If the opensslDiffieHellmanParameters is set atstartup.
WindowsStarting in version 4.0, Ephemeral Diffie-Hellman (DHE) isimplicitly supported through the use of Secure Channel(Schannel), the native TLS/SSL OS libraries.
macOSStarting in version 4.0, Ephemeral Diffie-Hellman (DHE) isimplicitly supported through the use of Secure Transport, thenative TLS/SSL OS libraries.

Note

If clients negotiate a cipher suite with DHE but cannot accept theserver selected parameter, the TLS connection fails.

Strong parameters (i.e. size is greater than 1024) are not supportedwith Java 6 and 7 unless extended support has been purchased fromOracle. However, Java 7 supports and prefers ECDHE, so willnegotiate ECDHE if available.

DHE (and ECDHE) cipher suites are slower performance than staticRSA cipher suites, with DHE being significantly slower than ECDHE. SeeForward Secrecy Performance for more information.

Forward Secrecy Performance

DHE and ECDHE cipher suites are slower than static RSA cipher suites,with DHE being significantly slower than ECDHE.

For better performance with ECDHE, you can use certificates thatuse Elliptic Curve Digital Signature Algorithm (ECDSA).Alternatively, you can disable ECDHE cipher suites with theopensslCipherConfig parameter as in the following example(which also disables DHE)

  1. mongod --setParameter opensslCipherConfig='HIGH:!EXPORT:!aNULL:!kECDHE:!ECDHE:!DHE:!kDHE@STRENGTH'

If you need to disable support for DHE cipher suites due toperformance, you can use the opensslCipherConfigparameter, as in the following example:

  1. mongod --setParameter opensslCipherConfig='HIGH:!EXPORT:!aNULL:!DHE:!kDHE@STRENGTH'

Certificates

To use TLS/SSL with MongoDB , you must have the TLS/SSL certificates asPEM files, which are concatenated certificate containers.

MongoDB can use any valid TLS/SSL certificate issued by a certificateauthority or a self-signed certificate. If you use a self-signedcertificate, although the communications channel will be encrypted,there will be no validation of server identity. Although such asituation will prevent eavesdropping on the connection, it leaves youvulnerable to a man-in-the-middle attack. Using a certificate signed bya trusted certificate authority will permit MongoDB drivers to verifythe server’s identity.

For example, see TLS/SSL Configuration for Clients.

Identity Verification

In addition to encrypting connections, TLS/SSL allows for authenticationusing certificates, both for client authentication and for internal authentication of members of replica sets andsharded clusters.

For more information, see:

FIPS Mode

Enterprise Feature

Available in MongoDB Enterprise only.

The Federal Information Processing Standard (FIPS) is a U.S. governmentcomputer security standard used to certify software modules and librariesthat encrypt and decrypt data securely. You can configure MongoDB to runwith a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run bydefault or as needed from the command line.

For an example, see Configure MongoDB for FIPS.