Provided by: libmongoc-doc_1.15.0-1_all bug

NAME

       mongoc_ssl_opt_t - mongoc_ssl_opt_t

SYNOPSIS

          typedef struct {
             const char *pem_file;
             const char *pem_pwd;
             const char *ca_file;
             const char *ca_dir;
             const char *crl_file;
             bool weak_cert_validation;
             bool allow_invalid_hostname;
             void *padding[7];
          } mongoc_ssl_opt_t;

DESCRIPTION

       This   structure   is   used   to   set   the   SSL   options  for  a  mongoc_client_t  or
       mongoc_client_pool_t.

       Beginning in version 1.2.0, once a pool or client has any SSL options set, all connections
       use  SSL,  even  if  ssl=true  is  omitted  from the MongoDB URI. Before, SSL options were
       ignored unless ssl=true was included in the URI.

       As of 1.4.0, the mongoc_client_pool_set_ssl_opts and mongoc_client_set_ssl_opts  will  not
       only  shallow  copy  the  struct,  but  will also copy the const char*. It is therefore no
       longer needed to make sure the values remain valid after setting them.

CONFIGURATION THROUGH URI OPTIONS

       Most of the configurable options can be using the Connection URI.

                       ┌───────────────────────┬─────────────────────────────────┐
                       │mongoc_ssl_opt_t keyURI key                         │
                       ├───────────────────────┼─────────────────────────────────┤
                       │pem_file               │ sslClientCertificateKeyFile     │
                       ├───────────────────────┼─────────────────────────────────┤
                       │pem_pwd                │ sslClientCertificateKeyPassword │
                       ├───────────────────────┼─────────────────────────────────┤
                       │ca_file                │ sslCertificateAuthorityFile     │
                       ├───────────────────────┼─────────────────────────────────┤
                       │weak_cert_validation   │ sslAllowInvalidCertificates     │
                       ├───────────────────────┼─────────────────────────────────┤
                       │allow_invalid_hostname │ sslAllowInvalidHostnames        │
                       └───────────────────────┴─────────────────────────────────┘

CLIENT AUTHENTICATION

       When MongoDB is started with SSL enabled, it will by default require the client to provide
       a  client  certificate  issued  by a certificate authority specified by --sslCAFile, or an
       authority trusted by the native certificate store in use on the server.

       To provide the client certificate, the user must configure the pem_file to point at a  PEM
       armored certificate.

          mongoc_ssl_opt_t ssl_opts = {0};

          ssl_opts.pem_file = "/path/to/client-certificate.pem"

          /* Then set the client ssl_opts, when using a single client mongoc_client_t */
          mongoc_client_pool_set_ssl_opts (pool, &ssl_opts);

          /* or, set the pool ssl_opts, when using a the thread safe mongoc_client_pool_t */
          mongoc_client_set_ssl_opts (client, &ssl_opts);

SERVER CERTIFICATE VERIFICATION

       The  MongoDB  C  Driver  will automatically verify the validity of the server certificate,
       such as issued by configured Certificate Authority, hostname validation, and expiration.

       To overwrite this behaviour, it is possible to disable hostname validation,  and/or  allow
       otherwise    invalid    certificates.    This    behaviour   is   controlled   using   the
       allow_invalid_hostname and weak_cert_validation fields. By default, both are set to false.
       It  is  not  recommended  to  change these defaults as it exposes the client to Man In The
       Middle attacks (when allow_invalid_hostname is set)  and  otherwise  invalid  certificates
       when weak_cert_validation is set to true.

OPENSSL

       The  MongoDB  C  Driver  uses  OpenSSL, if available, on Linux and Unix platforms (besides
       macOS). Industry best practices and some regulations require the use of TLS 1.1 or  newer,
       which requires at least OpenSSL 1.0.1. Check your OpenSSL version like so:

          $ openssl version

       Ensure  your  system's  OpenSSL  is a recent version (at least 1.0.1), or install a recent
       version in a non-system path and build against it with:

          cmake -DOPENSSL_ROOT_DIR=/absolute/path/to/openssl

       When compiled against OpenSSL,  the  driver  will  attempt  to  load  the  system  default
       certificate  store,  as  configured by the distribution, if the ca_file and ca_dir are not
       set.

LIBRESSL / LIBTLS

       The MongoDB C Driver supports LibreSSL through the use  of  OpenSSL  compatibility  checks
       when  configured  to compile against openssl. It also supports the new libtls library when
       configured to build against libressl.

NATIVE TLS SUPPORT ON WINDOWS (SECURE CHANNEL)

       The MongoDB C  Driver  supports  the  Windows  native  TLS  library  (Secure  Channel,  or
       SChannel), and its native crypto library (Cryptography API: Next Generation, or CNG).

       When  compiled  against  the Windows native libraries, the ca_dir option is not supported,
       and will issue an error if used.

       Encrypted PEM files (e.g., requiring pem_pwd) are also not supported, and will  result  in
       error when attempting to load them.

       When  ca_file  is  provided,  the driver will only allow server certificates issued by the
       authority (or authorities) provided. When no ca_file is provided, the driver will look  up
       the Certificate Authority using the System Local Machine Root certificate store to confirm
       the provided certificate.

       When crl_file is provided, the driver will import the revocation list to the System  Local
       Machine Root certificate store.

NATIVE TLS SUPPORT ON MACOS / DARWIN (SECURE TRANSPORT)

       The  MongoDB  C  Driver  supports  the  Darwin (OS X, macOS, iOS, etc.) native TLS library
       (Secure Transport), and its native crypto library (Common Crypto, or CC).

       When compiled against Secure Transport, the ca_dir option is not supported, and will issue
       an error if used.

       When  ca_file  is  provided,  the driver will only allow server certificates issued by the
       authority (or authorities) provided. When no ca_file is provided, the driver will use  the
       Certificate Authorities in the currently unlocked keychains.

SEE ALSO

       · mongoc_client_set_ssl_opts

       · mongoc_client_pool_set_ssl_opts

AUTHOR

       MongoDB, Inc

COPYRIGHT

       2017-present, MongoDB, Inc