Configuring SSL Verification

If you are connecting to a MongoDB server that has Secure Sockets Layer (SSL) enabled, then you can configure the connector to connect to an SSL-enabled socket. When connecting to a server over SSL, the connector supports identity verification between the client and the server.

You can set the connection properties described below in a connection string or in a DSN (in the odbc.ini file). Settings in the connection string take precedence over settings in the DSN.

Configuring an SSL Connection without Identity Verification

You can configure a connection that uses SSL but does not verify the identity of the client or the server.

To configure an SSL connection without verification:

1. Set the SSL property to 1.
2. Set the sslAllowInvalidCertificates property to 1.

Configuring One-way SSL Verification

You can configure one-way verification so that the client verifies the identity of the MongoDB server.

To configure one-way SSL verification:

1. Set the SSL property to 1.
2. Choose one:
• To verify the server using a certificate from a specific .pem file, set the sslCAFile property to the full path of the PEM file.
• Or, to verify the server using certificates stored in multiple .pem files, set the sslCADir property to the full path of the directory where the PEM files are located.
3. Set the sslCRLFile to the full path of the .pem file containing the list of revoked certificates.

Configuring Two-way SSL Verification

You can configure two-way SSL verification so that the client and the MongoDB server verify each other.

To configure two-way SSL verification:

1. Set the SSL property to 1.
2. Set the sslPEMKeyFile property to the full path of the .pem file containing the certificate for verifying the client.
3. If the client certificate is protected with a password, set the sslPEMKeyPwd property to the password.
4. Choose one:
• To verify the server using a certificate from a specific .pem file, set the sslCAFile property to the full path of the PEM file.
• Or, to verify the server using certificates stored in multiple .pem files, set the sslCADir property to the full path of the directory where the .pem files are located.
5. Set the sslCRLFile to the full path of the .pem file containing the list of revoked certificates.

Related topics

• SSL Driver Configuration Options on page 1
• Configuring Authentication
• Configuring the Driver on page 1