阿里云主机折上折
  • 微信号
Current Site:Index > Encrypted transmission (TLS/SSL)

Encrypted transmission (TLS/SSL)

Author:Chuan Chen 阅读数:40434人阅读 分类: MongoDB

Application of Encrypted Transmission (TLS/SSL) in MongoDB

MongoDB supports encrypting communication between clients and servers using the TLS/SSL protocol, ensuring the security of data transmission. This encryption method effectively prevents man-in-the-middle attacks and data leaks, making it particularly suitable for scenarios involving sensitive data transmission.

Basic Principles of TLS/SSL

TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are cryptographic protocols used to provide secure communication over computer networks. They achieve this by establishing a secure channel between the transport and application layers:

  1. Authentication: Verifies the identity of the server (and optionally the client) using digital certificates.
  2. Encryption: Protects data transmission using symmetric encryption algorithms.
  3. Integrity: Ensures data has not been tampered with using message authentication codes (MACs).

MongoDB supports TLS versions 1.0, 1.1, 1.2, and 1.3, but it is recommended to disable older versions (TLS 1.0 and 1.1) to enhance security.

TLS/SSL Configuration in MongoDB

Server-Side Configuration

To enable TLS/SSL for a MongoDB server, add the following parameters to the configuration file:

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /path/to/server.pem
    CAFile: /path/to/ca.pem
    allowInvalidCertificates: false

Parameter descriptions:

  • mode: Can be disabled, allowTLS, or requireTLS.
  • certificateKeyFile: File containing the server certificate and private key.
  • CAFile: CA certificate file used to verify client certificates.
  • allowInvalidCertificates: Whether to allow self-signed certificates (should be set to false in production environments).

Client Configuration

Using the Node.js driver to connect to a TLS/SSL-protected MongoDB instance:

const { MongoClient } = require('mongodb');

const client = new MongoClient('mongodb://localhost:27017', {
  tls: true,
  tlsCAFile: '/path/to/ca.pem',
  tlsCertificateKeyFile: '/path/to/client.pem',
  tlsAllowInvalidCertificates: false
});

async function run() {
  try {
    await client.connect();
    const db = client.db('test');
    // Perform database operations...
  } finally {
    await client.close();
  }
}
run().catch(console.dir);

Certificate Management

Generating Self-Signed Certificates

For development and testing environments, you can use OpenSSL to generate self-signed certificates:

# Generate CA private key and certificate
openssl req -x509 -newkey rsa:4096 -days 365 -nodes -keyout ca-key.pem -out ca-cert.pem

# Generate server private key and certificate signing request (CSR)
openssl req -newkey rsa:4096 -nodes -keyout server-key.pem -out server-req.pem

# Sign the server certificate with the CA
openssl x509 -req -in server-req.pem -days 60 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -extfile server-ext.cnf

# Combine the server certificate and private key
cat server-cert.pem server-key.pem > server.pem

Certificate Verification

MongoDB supports multiple certificate verification methods:

  • One-way verification (only the server provides a certificate).
  • Two-way verification (both client and server provide certificates).
  • Verification using the system CA store.

Performance Considerations

Enabling TLS/SSL can impact MongoDB performance in the following ways:

  1. Connection Establishment Time: The TLS handshake process increases connection setup time.
  2. CPU Usage: Encryption/decryption operations increase CPU load.
  3. Throughput: Encrypted communication may slightly reduce network throughput.

Performance can be optimized by:

  • Using more efficient encryption algorithms (e.g., AES256-GCM).
  • Enabling TLS session resumption.
  • Using hardware acceleration (e.g., CPUs with AES-NI support).

Common Troubleshooting

Certificate Verification Failure

Example error:

SSL peer certificate validation failed: self signed certificate in certificate chain

Solutions:

  • Ensure the CA certificate is correctly configured.
  • Check if the certificate chain is complete.
  • Verify if the certificate has expired.

Protocol Version Mismatch

Example error:

SSL handshake failed: no shared cipher

Solutions:

  • Ensure the client and server support the same TLS version.
  • Check the cipher suite configuration.

Security Best Practices

  1. Disable Old Protocols: Disable SSL 3.0, TLS 1.0, and TLS 1.1.
  2. Strong Cipher Suites: Prioritize strong encryption algorithms like AES256-GCM.
  3. Certificate Rotation: Regularly update server and client certificates.
  4. Least Privilege: Issue different certificates to different clients and restrict permissions.
  5. Log Monitoring: Monitor TLS connection errors and anomalies.

Advanced Configuration Options

Custom Cipher Suites

Specify preferred cipher suites in the MongoDB configuration file:

net:
  tls:
    ciphers: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256

OCSP Stapling

Enable OCSP stapling to speed up certificate revocation checks:

net:
  tls:
    ocspStapling: true

Certificate Revocation List (CRL)

Configure CRL checks to reject revoked certificates:

net:
  tls:
    CRLFile: /path/to/crl.pem

Practical Application Scenarios

TLS in Sharded Clusters

In sharded clusters, TLS should be enabled for all inter-component communication:

# Config server configuration example
sharding:
  clusterRole: configsvr
net:
  tls:
    mode: requireTLS
    certificateKeyFile: /path/to/configsvr.pem
    CAFile: /path/to/ca.pem

Replica Set Member Communication

Ensure secure communication between replica set members:

replication:
  replSetName: rs0
net:
  tls:
    mode: requireTLS
    certificateKeyFile: /path/to/member.pem
    CAFile: /path/to/ca.pem
    clusterFile: /path/to/internal.pem  # For inter-member authentication

Client Certificate Authentication

Require clients to provide valid certificates for authentication:

net:
  tls:
    mode: requireTLS
    certificateKeyFile: /path/to/server.pem
    CAFile: /path/to/ca.pem
    allowConnectionsWithoutCertificates: false

Corresponding Node.js client connection code:

const client = new MongoClient(uri, {
  tls: true,
  tlsCAFile: '/path/to/ca.pem',
  tlsCertificateKeyFile: '/path/to/client.pem',
  authMechanism: 'MONGODB-X509',
  authSource: '$external'
});

Certificate Subject Alternative Names

When a MongoDB deployment uses multiple hostnames, include SANs (Subject Alternative Names) in the certificate:

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = mongodb1.example.com
DNS.2 = mongodb2.example.com
IP.1 = 192.168.1.100

Certificate Transparency

Consider enabling Certificate Transparency (CT) logs for public certificates:

# Automatically submit CT logs when using Let's Encrypt certificates
certbot certonly --standalone -d mongodb.example.com --preferred-challenges http --must-staple
做个网站!

本站部分内容来自互联网,一切版权均归源网站或源作者所有。

如果侵犯了你的权益请来信告知我们删除。邮箱:cc@cccx.cn

上一篇:用户管理与访问控制

下一篇:数据加密(字段级加密、存储加密)

Front End Chuan

Front End Chuan, Chen Chuan's Code Teahouse 🍵, specializing in exorcising all kinds of stubborn bugs 💻. Daily serving baldness-warning-level development insights 🛠️, with a bonus of one-liners that'll make you laugh for ten years 🐟. Occasionally drops pixel-perfect romance brewed in a coffee cup ☕.

相关文章