I have implemented MongoDB TLS encryption on the server side (using self signed certs), with the following configuration.

systemLog:
      destination: file
      path: "/var/log/mongodb/mongod.log"
      logAppend: true
    storage:
      dbPath: "/data/db"
      journal:
        enabled: true
    net:
      bindIpAll: true
      port: 27017
      tls:
          mode: requireTLS
          certificateKeyFile: /etc/ssl/mongod.pem

How do I connect to this instance from client and verify that the TLS encryption is successful?

CodePudding user response：

Verification is simple, because you set requireTLS. If you can connect to the MongoDB, then TLS encryption is also successful, otherwise you cannot connect.

When you enable TLS, I assume you would also like to enable authorization. You would need to add.

security:
   authorization: enabled

If you authenticate user by username/password then you have to set allowConnectionsWithoutCertificates

net:
  port: 27017
  bindIpAll: true
  tls:
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongod.pem
    allowConnectionsWithoutCertificates: true

Connection would be like this:

mongosh 'mongodb://user:password@hostname/?authSource=admin&tls=true&tlsCAFile=/etc/ssl/certs/ca-bundle.crt'

Note, if you use the legacy mongo shell, then you cannot use TLS setting in URI, instead use

mongo 'mongodb://user:password@hostname/?authSource=admin' --tls --tlsCAFile /etc/ssl/certs/ca-bundle.crt

Without allowConnectionsWithoutCertificates you would need also a certificate on the client, see Use x.509 Certificates to Authenticate Clients

If you just like to verify the TLS settings, I recommend openssl tool:

openssl s_client -showcerts -CAfile /etc/ssl/certs/ca-bundle.crt -brief -connect your_hostname:27017 <<< "Q"