On this page本页内容
MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB's network traffic. MongoDB支持TLS/SSL(传输层安全/安全套接字层)来加密MongoDB的所有网络流量。TLS/SSL ensures that MongoDB network traffic is only readable by the intended client.TLS/SSL确保MongoDB网络流量只能由目标客户端读取。
Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. 从版本4.0开始,MongoDB在TLS 1.1+可用的系统上禁用对TLS 1.0加密的支持。For more details, see Disable TLS 1.0.有关详细信息,请参阅禁用TLS 1.0。
MongoDB uses the native TLS/SSL OS libraries:MongoDB使用本机TLS/SSL操作系统库:
| Platform | TLS/SSL Library |
|---|---|
| Windows | |
| Linux/BSD | OpenSSL |
| macOS | Secure Transport |
MongoDB's TLS/SSL encryption only allows use of strong TLS/SSL ciphers with a minimum of 128-bit key length for all connections.MongoDB的TLS/SSL加密仅允许对所有连接使用具有最小128位密钥长度的强TLS/SSL密码。
Forward Secrecy cipher suites create an ephemeral session key that is protected by the server's private key but is never transmitted. 前向保密密码套件创建一个临时会话密钥,该密钥受服务器的私钥保护,但从不传输。The use of an ephemeral key ensures that even if a server's private key is compromised, you cannot decrypt past sessions with the compromised key.使用临时密钥可以确保即使服务器的私钥被泄露,也无法使用泄露密钥解密过去的会话。
MongoDB supports Forward Secrecy cipher suites that use Ephemeral Diffie-Hellman (DHE) and Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) algorithms.MongoDB支持使用临时Diffie-Hellman(DHE)和临时椭圆曲线Diffie-Hellman算法的前向保密密码套件。
| Linux |
|
|---|---|
| Windows | |
| macOS |
ECDHE cipher suites are slower than static RSA cipher suites. ECDHE密码套件比静态RSA密码套件慢。For better performance with ECDHE, you can use certificates that use Elliptic Curve Digital Signature Algorithm (为了提高ECDHE的性能,您可以使用使用椭圆曲线数字签名算法(ECDSA). ECDSA)的证书。See also Forward Secrecy Performance for more information有关更多信息,请参阅转发保密性能
| Platform | |
|---|---|
| Linux |
|
| Windows | |
| macOS |
If clients negotiate a cipher suite with DHE but cannot accept the server selected parameter, the TLS connection fails.如果客户端与DHE协商密码套件,但无法接受服务器选择的参数,则TLS连接失败。
Strong parameters (i.e. size is greater than 1024) are not supported with Java 6 and 7 unless extended support has been purchased from Oracle. Java 6和7不支持强参数(即大小大于1024),除非从Oracle购买了扩展支持。However, Java 7 supports and prefers ECDHE, so will negotiate ECDHE if available.然而,Java 7支持并更喜欢ECDHE,因此如果可用,将协商ECDHE。
DHE (and ECDHE) cipher suites are slower performance than static RSA cipher suites, with DHE being significantly slower than ECDHE. DHE(和ECDHE)密码套件的性能低于静态RSA密码套件,其中DHE的性能明显低于ECDHE。See Forward Secrecy Performance for more information.有关更多信息,请参阅转发保密性能。
DHE and ECDHE cipher suites are slower than static RSA cipher suites, with DHE being significantly slower than ECDHE.DHE和ECDHE密码套件比静态RSA密码套件慢,DHE比ECDHE慢得多。
For better performance with ECDHE, you can use certificates that use Elliptic Curve Digital Signature Algorithm (为了提高ECDHE的性能,可以使用使用椭圆曲线数字签名算法(ECDSA). ECDSA)的证书。Alternatively, you can disable ECDHE cipher suites with the 或者,您可以使用opensslCipherConfig parameter as in the following example (which also disables DHE)opensslCipherConfig参数禁用ECDHE密码套件,如下例所示(这也会禁用DHE)
mongod --setParameter opensslCipherConfig='HIGH:!EXPORT:!aNULL:!kECDHE:!ECDHE:!DHE:!kDHE@STRENGTH'
If you need to disable support for DHE cipher suites due to performance, you can use the 如果由于性能原因需要禁用对DHE密码套件的支持,可以使用 opensslCipherConfig parameter, as in the following example:opensslCipherConfig参数,如下例所示:
mongod --setParameter opensslCipherConfig='HIGH:!EXPORT:!aNULL:!DHE:!kDHE@STRENGTH'
To use TLS/SSL with MongoDB , you must have the TLS/SSL certificates as 要对MongoDB使用TLS/SSL,必须将TLS/SSL证书作为PEM files, which are concatenated certificate containers.PEM文件,这些文件是串联的证书容器。
MongoDB can use any valid TLS/SSL certificate issued by a certificate authority or a self-signed certificate. MongoDB可以使用由证书颁发机构颁发的任何有效TLS/SSL证书或自签名证书。For production use, your MongoDB deployment should use valid certificates generated and signed by the same certificate authority. 对于生产使用,MongoDB部署应使用由同一证书颁发机构生成并签名的有效证书。You can generate and maintain an independent certificate authority, or use certificates generated by a third-party TLS/SSL vendor.您可以生成和维护独立的证书颁发机构,或使用第三方TLS/SSL供应商生成的证书。
Using a certificate signed by a trusted certificate authority allows MongoDB drivers to verify the server's identity.使用由可信证书颁发机构签名的证书,MongoDB驱动程序可以验证服务器的身份。
For example, see TLS/SSL Configuration for Clients.例如,请参阅客户端的TLS/SSL配置。
Changed in version 4.4.在版本4.4中更改。
mongod / mongos 30 days of the mongod/mongos host system time. mongod/mongos主机系统时间的30天内过期,则会记录一条连接警告。Starting in version 4.4, to check for certificate revocation, MongoDB 从4.4版开始,为了检查证书吊销,MongoDB默认启用OCSP(在线证书状态协议)。enables the use of OCSP (Online Certificate Status Protocol) by default. The use of OCSP eliminates the need to periodically download a OCSP的使用消除了定期下载证书吊销列表(CRL)并用更新的CRL重新启动Certificate Revocation List (CRL) and restart the mongod/mongos with the updated CRL.mongod/mongos的需要。
In versions 4.0 and 4.2, the use of OCSP is available only through the use of 在版本4.0和4.2中,OCSP只能通过在Windows或macOS上使用系统证书存储来使用。system certificate store on Windows or macOS.
As part of its OCSP support, MongoDB 4.4+ supports the following on Linux:作为OCSP支持的一部分,MongoDB 4.4+在Linux上支持以下内容:
mongod and mongos instances attach or "staple" the OCSP status response to their certificates when providing these certificates to clients during the TLS/SSL handshake. MongoDB also provides the following OCSP-related parameters:MongoDB还提供以下OCSP相关参数:
ocspEnabled | |
ocspValidationRefreshPeriodSecs | |
tlsOCSPStaplingTimeoutSecs | mongod/mongos instance should wait to receive the OCSP status response for its certificates.mongod/mongos实例等待接收其证书的OCSP状态响应的最大秒数。
|
tlsOCSPVerifyTimeoutSecs | mongod/mongos should wait for the OCSP response when verifying client certificates.mongod/mongos等待OCSP响应的最大秒数。
|
You can set these parameters at startup using the 您可以在启动时使用setParameter configuration file setting or the --setParameter command line option.setParameter配置文件设置或--setParameter命令行选项设置这些参数。
Starting in MongoDB 5.0, the 从MongoDB 5.0开始,rotateCertificates command and db.rotateCertificates() method will also refresh any stapled OCSP responses.rotateCertificates命令和db.rotateCertificates()方法还将刷新任何已装订的OCSP响应。
In addition to encrypting connections, TLS/SSL allows for authentication using certificates, both for client authentication and for internal authentication of members of replica sets and sharded clusters.除了加密连接之外,TLS/SSL还允许使用证书进行身份验证,既可以用于客户端身份验证,也可以用于副本集和分片群集成员的client authentication and for 内部身份验证。
For more information, see:有关详细信息,请参阅:
Available in MongoDB Enterprise only.仅在MongoDB Enterprise中可用。
The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. 联邦信息处理标准(FIPS)是美国的。用于认证安全加密和解密数据的软件模块和库的政府计算机安全标准。You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. 您可以将MongoDB配置为使用经FIPS 140-2认证的OpenSSL库运行。Configure FIPS to run by default or as needed from the command line.将FIPS配置为默认运行或根据需要从命令行运行。
For an example, see Configure MongoDB for FIPS.有关示例,请参阅Configure MongoDB For FIPS。