<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Connecting over SSL</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="mongo.connecting.html">Connecting</a></div>
<div class="next" style="text-align: right; float: right;"><a href="mongo.connecting.auth.html">Authentication</a></div>
<div class="up"><a href="mongo.connecting.html">Connecting</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="mongo.connecting.ssl" class="section">
<h2 class="title">Connecting over SSL</h2>
<p class="para">
The driver supports connecting to <a href="https://docs.mongodb.com/manual/tutorial/configure-ssl/" class="link external">» MongoDB over SSL</a>
and can optionally use <a href="context.ssl.html" class="link">SSL Stream Context</a> options to provide more details,
such as verifying certificates against specific certificate chain, or authenticate to
<a href="https://docs.mongodb.com/manual/tutorial/configure-x509/" class="link external">» MongoDB using X509 certificates</a>.
</p>
<div class="example" id="mongo.tutorial.insert.multiple-example">
<p><strong>Example #1 Connect to MongoDB Instance with SSL Encryption</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(</span><span style="color: #DD0000">"mongodb://server1"</span><span style="color: #007700">, array(</span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
<div class="example" id="mongo.tutorial.counting-example">
<p><strong>Example #2 Connect to MongoDB Instance with SSL Encryption, verifying it is who we think it is</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$SSL_DIR </span><span style="color: #007700">= </span><span style="color: #DD0000">"/vagrant/certs"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$SSL_FILE </span><span style="color: #007700">= </span><span style="color: #DD0000">"CA_Root_Certificate.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$ctx </span><span style="color: #007700">= </span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> array(<br /> </span><span style="color: #FF8000">/* Certificate Authority the remote server certificate must be signed by */<br /> </span><span style="color: #DD0000">"cafile" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$SSL_DIR </span><span style="color: #007700">. </span><span style="color: #DD0000">"/" </span><span style="color: #007700">. </span><span style="color: #0000BB">$SSL_FILE</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Disable self signed certificates */<br /> </span><span style="color: #DD0000">"allow_self_signed" </span><span style="color: #007700">=> </span><span style="color: #0000BB">false</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Verify the peer certificate against our provided Certificate Authority root certificate */<br /> </span><span style="color: #DD0000">"verify_peer" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">, </span><span style="color: #FF8000">/* Default to false pre PHP 5.6 */<br /><br /> /* Verify the peer name (e.g. hostname validation) */<br /> /* Will use the hostname used to connec to the node */<br /> </span><span style="color: #DD0000">"verify_peer_name" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Verify the server certificate has not expired */<br /> </span><span style="color: #DD0000">"verify_expiry" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">, </span><span style="color: #FF8000">/* Only available in the MongoDB PHP Driver */<br /> </span><span style="color: #007700">),<br />);<br /><br /></span><span style="color: #0000BB">$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br /> </span><span style="color: #DD0000">"mongodb://server1"</span><span style="color: #007700">, <br /> array(</span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">), <br /> array(</span><span style="color: #DD0000">"context" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
<blockquote class="note"><p><strong class="note">Note</strong>:
<p class="para">
The <em>"verify_peer_name"</em> is new in PHP 5.6.0. The
MongoDB driver as of 1.6.5 however has backported this feature into the
driver itself, so it works with PHP 5.3 and 5.4 too
</p>
</p></blockquote>
</div>
<div class="example" id="mongo.tutorial.cursor-example">
<p><strong>Example #3 Connect to MongoDB Instance that Requires Client Certificates</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$SSL_DIR </span><span style="color: #007700">= </span><span style="color: #DD0000">"/vagrant/certs"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$SSL_FILE </span><span style="color: #007700">= </span><span style="color: #DD0000">"CA_Root_Certificate.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$MYCERT </span><span style="color: #007700">= </span><span style="color: #DD0000">"/vagrant/certs/ca-signed-client.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$ctx </span><span style="color: #007700">= </span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> array(<br /> </span><span style="color: #DD0000">"local_cert" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$MYCERT</span><span style="color: #007700">,<br /> </span><span style="color: #FF8000">/* If the certificate we are providing was passphrase encoded, we need to set it here */<br /> </span><span style="color: #DD0000">"passphrase" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"My Passphrase for the local_cert"</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Optionally verify the server is who he says he is */<br /> </span><span style="color: #DD0000">"cafile" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$SSL_DIR </span><span style="color: #007700">. </span><span style="color: #DD0000">"/" </span><span style="color: #007700">. </span><span style="color: #0000BB">$SSL_FILE</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"allow_self_signed" </span><span style="color: #007700">=> </span><span style="color: #0000BB">false</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"verify_peer" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"verify_peer_name" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"verify_expiry" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /> ),<br />));<br /><br /></span><span style="color: #0000BB">$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br /> </span><span style="color: #DD0000">"mongodb://server1/?ssl=true"</span><span style="color: #007700">, <br /> array(), <br /> array(</span><span style="color: #DD0000">"context" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
<div class="example" id="mongo.tutorial.criteria-example">
<p><strong>Example #4 Authenticating with X.509 certificates</strong></p>
<div class="example-contents"><p>
The username is the <em>certificate subject</em> from the X509, which can be extracted like this:
</p></div>
<div class="example-contents">
<div class="shellcode"><pre class="shellcode">openssl x509 -in /vagrant/certs/ca-signed-client.pem -inform PEM -subject -nameopt RFC2253</pre>
</div>
</div>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br />$ctx </span><span style="color: #007700">= </span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">( array(<br /> </span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> array(<br /> </span><span style="color: #DD0000">"local_cert" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"/vagrant/certs/ca-signed-client.pem"</span><span style="color: #007700">,<br /> )<br />) );<br /><br /></span><span style="color: #0000BB">$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br /> </span><span style="color: #DD0000">'mongodb://username@server1/?authSource=$external&authMechanism=MONGODB-X509&ssl=true'</span><span style="color: #007700">, <br /> array(), <br /> array(</span><span style="color: #DD0000">"context" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
<div class="example-contents"><p>
Where <em>username</em> is the certificate subject.
</p></div>
</div>
<div class="simplesect">
<h3 class="title">Changelog</h3>
<table class="doctable informaltable">
<thead>
<tr>
<th>Version</th>
<th>Description</th>
</tr>
</thead>
<tbody class="tbody">
<tr>
<td>1.5.0</td>
<td>
Added support for X509 authentication.
</td>
</tr>
<tr>
<td>1.4.0</td>
<td>
Added support for connecting to SSL enabled MongoDB.
</td>
</tr>
</tbody>
</table>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="mongo.connecting.html">Connecting</a></div>
<div class="next" style="text-align: right; float: right;"><a href="mongo.connecting.auth.html">Authentication</a></div>
<div class="up"><a href="mongo.connecting.html">Connecting</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
