Navigation
This version of the documentation is archived and no longer supported.
  • Security >
  • TLS/SSL (Transport Encryption)

TLS/SSL (Transport Encryption)

TLS/SSL

MongoDB supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of MongoDB’s network traffic. TLS/SSL ensures that MongoDB network traffic is only readable by the intended client.

Starting in version 4.0, MongoDB uses the native TLS/SSL OS libraries:

Windows Secure Channel (Schannel)
Linux/BSD OpenSSL
macOS Secure Transport

MongoDB’s TLS/SSL encryption only allows use of strong TLS/SSL ciphers with a minimum of 128-bit key length for all connections.

Starting in version 4.0, MongoDB disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available. For more details, see Disable TLS 1.0.

Certificates

To use TLS/SSL with MongoDB , you must have the TLS/SSL certificates as PEM files, which are concatenated certificate containers.

MongoDB can use any valid TLS/SSL certificate issued by a certificate authority or a self-signed certificate. For production use, your MongoDB deployment should use valid certificates generated and signed by the same certificate authority. You can generate and maintain an independent certificate authority, or use certificates generated by a third-party TLS/SSL vendor.

Using a certificate signed by a trusted certificate authority allows MongoDB drivers to verify the server’s identity.

For example, see TLS/SSL Configuration for Clients.

Identity Verification

In addition to encrypting connections, TLS/SSL allows for authentication using certificates, both for client authentication and for internal authentication of members of replica sets and sharded clusters.

For more information, see:

FIPS Mode

Enterprise Feature

Available in MongoDB Enterprise only.

The Federal Information Processing Standard (FIPS) is a U.S. government computer security standard used to certify software modules and libraries that encrypt and decrypt data securely. You can configure MongoDB to run with a FIPS 140-2 certified library for OpenSSL. Configure FIPS to run by default or as needed from the command line.

For an example, see Configure MongoDB for FIPS.