mongo-php-connecting-php-ssl-0

  • Connecting
  • Connecting over SSL

  • Connecting over SSL
  • Connecting over SSL

    Connecting over SSL

    The driver supports connecting to » MongoDB over SSL and can
    optionally use SSL Stream
    Context
    options to provide more details, such as verifying
    certificates against specific certificate chain, or authenticate to
    » MongoDB using X509
    certificates
    .

    Example #1 Connect to MongoDB Instance with SSL
    Encryption

    <?php
    $mc 
    = new MongoClient("mongodb://server1", array("ssl" => true));
    ?>

    Example #2 Connect to MongoDB Instance with SSL
    Encryption, verifying it is who we think it is

    <?php
    $SSL_DIR 
    "/vagrant/certs";
    $SSL_FILE "CA_Root_Certificate.pem";

    $ctx stream_context_create(array(
        
    "ssl" => array(
            
    /* Certificate Authority the remote server certificate must be signed by */
            
    "cafile"            => $SSL_DIR "/" $SSL_FILE,

            /* Disable self signed certificates */
            
    "allow_self_signed" => false,

            /* Verify the peer certificate against our provided Certificate Authority root certificate */
            
    "verify_peer"       => true/* Default to false pre PHP 5.6 */

            /* Verify the peer name (e.g. hostname validation) */
            /* Will use the hostname used to connec to the node */
            "verify_peer_name"  => true,

            /* Verify the server certificate has not expired */
            
    "verify_expiry"     => true/* Only available in the MongoDB PHP Driver */
        
    ),
    );

    $mc = new MongoClient(
        
    "mongodb://server1"
        array(
    "ssl" => true), 
        array(
    "context" => $ctx)
    );
    ?>

    Note:

    The “verify_peer_name” is new in PHP
    5.6.0. The MongoDB driver as of 1.6.5 however has backported this
    feature into the driver itself, so it works with PHP 5.3 and 5.4
    too

    Example #3 Connect to MongoDB Instance that Requires
    Client Certificates

    <?php
    $SSL_DIR  
    "/vagrant/certs";
    $SSL_FILE "CA_Root_Certificate.pem";

    $MYCERT   "/vagrant/certs/ca-signed-client.pem";

    $ctx stream_context_create(array(
        
    "ssl" => array(
            
    "local_cert"        => $MYCERT,
            
    /* If the certificate we are providing was passphrase encoded, we need to set it here */
            
    "passphrase"        => "My Passphrase for the local_cert",

            /* Optionally verify the server is who he says he is */
            
    "cafile"            => $SSL_DIR "/" $SSL_FILE,
            
    "allow_self_signed" => false,
            
    "verify_peer"       => true,
            
    "verify_peer_name"  => true,
            
    "verify_expiry"     => true,
        ),
    ));

    $mc = new MongoClient(
        
    "mongodb://server1/?ssl=true"
        array(), 
        array(
    "context" => $ctx)
    );
    ?>

    Example #4 Authenticating with X.509
    certificates

    The username is the certificate subject from the X509,
    which can be extracted like this:

    openssl x509 -in /vagrant/certs/ca-signed-client.pem -inform PEM -subject -nameopt RFC2253
    
    <?php
    $ctx 
    stream_context_create( array(
        
    "ssl" => array(
            
    "local_cert" => "/vagrant/certs/ca-signed-client.pem",
        )
    ) );

    $mc = new MongoClient(
        
    'mongodb://username@server1/?authSource=$external&authMechanism=MONGODB-X509&ssl=true'
        array(), 
        array(
    "context" => $ctx)
    );
    ?>

    Where username is the certificate subject.

    Changelog

    Version Description
    1.5.0 Added support for X509 authentication.
    1.4.0 Added support for connecting to SSL enabled MongoDB.