<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Connecting over SSL</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="mongo.connecting.html">Connecting</a></div> <div class="next" style="text-align: right; float: right;"><a href="mongo.connecting.auth.html">Authentication</a></div> <div class="up"><a href="mongo.connecting.html">Connecting</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="mongo.connecting.ssl" class="section"> <h2 class="title">Connecting over SSL</h2> <p class="para"> The driver supports connecting to <a href="https://docs.mongodb.com/manual/tutorial/configure-ssl/" class="link external">» MongoDB over SSL</a> and can optionally use <a href="context.ssl.html" class="link">SSL Stream Context</a> options to provide more details, such as verifying certificates against specific certificate chain, or authenticate to <a href="https://docs.mongodb.com/manual/tutorial/configure-x509/" class="link external">» MongoDB using X509 certificates</a>. </p> <div class="example" id="mongo.tutorial.insert.multiple-example"> <p><strong>Example #1 Connect to MongoDB Instance with SSL Encryption</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(</span><span style="color: #DD0000">"mongodb://server1"</span><span style="color: #007700">, array(</span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> <div class="example" id="mongo.tutorial.counting-example"> <p><strong>Example #2 Connect to MongoDB Instance with SSL Encryption, verifying it is who we think it is</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$SSL_DIR </span><span style="color: #007700">= </span><span style="color: #DD0000">"/vagrant/certs"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$SSL_FILE </span><span style="color: #007700">= </span><span style="color: #DD0000">"CA_Root_Certificate.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$ctx </span><span style="color: #007700">= </span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> array(<br /> </span><span style="color: #FF8000">/* Certificate Authority the remote server certificate must be signed by */<br /> </span><span style="color: #DD0000">"cafile" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$SSL_DIR </span><span style="color: #007700">. </span><span style="color: #DD0000">"/" </span><span style="color: #007700">. </span><span style="color: #0000BB">$SSL_FILE</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Disable self signed certificates */<br /> </span><span style="color: #DD0000">"allow_self_signed" </span><span style="color: #007700">=> </span><span style="color: #0000BB">false</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Verify the peer certificate against our provided Certificate Authority root certificate */<br /> </span><span style="color: #DD0000">"verify_peer" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">, </span><span style="color: #FF8000">/* Default to false pre PHP 5.6 */<br /><br /> /* Verify the peer name (e.g. hostname validation) */<br /> /* Will use the hostname used to connec to the node */<br /> </span><span style="color: #DD0000">"verify_peer_name" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Verify the server certificate has not expired */<br /> </span><span style="color: #DD0000">"verify_expiry" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">, </span><span style="color: #FF8000">/* Only available in the MongoDB PHP Driver */<br /> </span><span style="color: #007700">),<br />);<br /><br /></span><span style="color: #0000BB">$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br /> </span><span style="color: #DD0000">"mongodb://server1"</span><span style="color: #007700">, <br /> array(</span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">), <br /> array(</span><span style="color: #DD0000">"context" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> The <em>"verify_peer_name"</em> is new in PHP 5.6.0. The MongoDB driver as of 1.6.5 however has backported this feature into the driver itself, so it works with PHP 5.3 and 5.4 too </p> </p></blockquote> </div> <div class="example" id="mongo.tutorial.cursor-example"> <p><strong>Example #3 Connect to MongoDB Instance that Requires Client Certificates</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$SSL_DIR </span><span style="color: #007700">= </span><span style="color: #DD0000">"/vagrant/certs"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$SSL_FILE </span><span style="color: #007700">= </span><span style="color: #DD0000">"CA_Root_Certificate.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$MYCERT </span><span style="color: #007700">= </span><span style="color: #DD0000">"/vagrant/certs/ca-signed-client.pem"</span><span style="color: #007700">;<br /><br /></span><span style="color: #0000BB">$ctx </span><span style="color: #007700">= </span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">(array(<br /> </span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> array(<br /> </span><span style="color: #DD0000">"local_cert" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$MYCERT</span><span style="color: #007700">,<br /> </span><span style="color: #FF8000">/* If the certificate we are providing was passphrase encoded, we need to set it here */<br /> </span><span style="color: #DD0000">"passphrase" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"My Passphrase for the local_cert"</span><span style="color: #007700">,<br /><br /> </span><span style="color: #FF8000">/* Optionally verify the server is who he says he is */<br /> </span><span style="color: #DD0000">"cafile" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$SSL_DIR </span><span style="color: #007700">. </span><span style="color: #DD0000">"/" </span><span style="color: #007700">. </span><span style="color: #0000BB">$SSL_FILE</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"allow_self_signed" </span><span style="color: #007700">=> </span><span style="color: #0000BB">false</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"verify_peer" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"verify_peer_name" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /> </span><span style="color: #DD0000">"verify_expiry" </span><span style="color: #007700">=> </span><span style="color: #0000BB">true</span><span style="color: #007700">,<br /> ),<br />));<br /><br /></span><span style="color: #0000BB">$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br /> </span><span style="color: #DD0000">"mongodb://server1/?ssl=true"</span><span style="color: #007700">, <br /> array(), <br /> array(</span><span style="color: #DD0000">"context" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> <div class="example" id="mongo.tutorial.criteria-example"> <p><strong>Example #4 Authenticating with X.509 certificates</strong></p> <div class="example-contents"><p> The username is the <em>certificate subject</em> from the X509, which can be extracted like this: </p></div> <div class="example-contents"> <div class="shellcode"><pre class="shellcode">openssl x509 -in /vagrant/certs/ca-signed-client.pem -inform PEM -subject -nameopt RFC2253</pre> </div> </div> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br />$ctx </span><span style="color: #007700">= </span><span style="color: #0000BB">stream_context_create</span><span style="color: #007700">( array(<br /> </span><span style="color: #DD0000">"ssl" </span><span style="color: #007700">=> array(<br /> </span><span style="color: #DD0000">"local_cert" </span><span style="color: #007700">=> </span><span style="color: #DD0000">"/vagrant/certs/ca-signed-client.pem"</span><span style="color: #007700">,<br /> )<br />) );<br /><br /></span><span style="color: #0000BB">$mc </span><span style="color: #007700">= new </span><span style="color: #0000BB">MongoClient</span><span style="color: #007700">(<br /> </span><span style="color: #DD0000">'mongodb://username@server1/?authSource=$external&authMechanism=MONGODB-X509&ssl=true'</span><span style="color: #007700">, <br /> array(), <br /> array(</span><span style="color: #DD0000">"context" </span><span style="color: #007700">=> </span><span style="color: #0000BB">$ctx</span><span style="color: #007700">)<br />);<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <div class="example-contents"><p> Where <em>username</em> is the certificate subject. </p></div> </div> <div class="simplesect"> <h3 class="title">Changelog</h3> <table class="doctable informaltable"> <thead> <tr> <th>Version</th> <th>Description</th> </tr> </thead> <tbody class="tbody"> <tr> <td>1.5.0</td> <td> Added support for X509 authentication. </td> </tr> <tr> <td>1.4.0</td> <td> Added support for connecting to SSL enabled MongoDB. </td> </tr> </tbody> </table> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="mongo.connecting.html">Connecting</a></div> <div class="next" style="text-align: right; float: right;"><a href="mongo.connecting.auth.html">Authentication</a></div> <div class="up"><a href="mongo.connecting.html">Connecting</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>