ArangoDB Server SSL Options
Given an IPv4 address:
Given an IPv6 address:
Note: If you are using SSL-encrypted endpoints, you must also supply thepath to a server certificate using the option.
If SSL encryption is used, this option must be used to specify the filename ofthe server private key. The file must be PEM formatted and contain both thecertificate and the server’s private key.
The file specified by filename can be generated using OpenSSL:
You may use certificates issued by a Certificate Authority or self-signedcertificates. Self-signed certificates can be created by a tool of yourchoice. When using OpenSSL for creating the self-signed certificate, thefollowing commands should create a valid keyfile:
This option can be used to specify a file with CA certificates that are sent tothe client whenever the server requests a client certificate. If the file isspecified, The server will only accept client requests with certificates issuedby these CAs. Do not specify this option if you want clients to be able toconnect without specific certificates.
The certificates in filename must be PEM formatted.
Use this option to specify the default encryption protocol to be used. Thefollowing variants are available:
- 1: SSLv2 (unsupported)
- 3: SSLv3
- 4: TLSv1
- 5: TLSv1.2
- 6: TLSv1.3
The default value is 9 (generic TLS), which will allow the negotiation ofthe TLS version between the client and the server, dynamically choosing thehighest mutually supported version of TLS.
Note that SSLv2 is unsupported as of ArangoDB 3.4, because of the inherent security vulnerabilities in this protocol. Selecting SSLv2 as protocol willabort the startup.
Set to true if SSL session caching should be used.
value has a default value of false (i.e. no caching).
Require a peer certificate from the client before connecting.
This option can be used to set various SSL-related options. Individual optionvalues must be combined using bitwise OR.
Which options are available on your platform is determined by the OpenSSLversion you use. The list of options available on your platform might beretrieved by the following shell command:
A description of the options can be found online in the
This option can be used to restrict the server to certain SSL ciphers only, andto define the relative usage preference of SSL ciphers.
The format of cipher-list is documented in the OpenSSL documentation.
To check which ciphers are available on your platform, you may use thefollowing shell command: