ArangoDB Server SSL Options

    Given an IPv4 address:

    —server.endpoint ssl://ipv4-address:port

    Given an IPv6 address:

    —server.endpoint ssl://[ipv6-address]:port

    Note: If you are using SSL-encrypted endpoints, you must also supply thepath to a server certificate using the option.

    —ssl.keyfile filename

    If SSL encryption is used, this option must be used to specify the filename ofthe server private key. The file must be PEM formatted and contain both thecertificate and the server’s private key.

    The file specified by filename can be generated using OpenSSL:

    You may use certificates issued by a Certificate Authority or self-signedcertificates. Self-signed certificates can be created by a tool of yourchoice. When using OpenSSL for creating the self-signed certificate, thefollowing commands should create a valid keyfile:

    CA File

    —ssl.cafile filename

    This option can be used to specify a file with CA certificates that are sent tothe client whenever the server requests a client certificate. If the file isspecified, The server will only accept client requests with certificates issuedby these CAs. Do not specify this option if you want clients to be able toconnect without specific certificates.

    The certificates in filename must be PEM formatted.

    Use this option to specify the default encryption protocol to be used. Thefollowing variants are available:

    • 1: SSLv2 (unsupported)
    • 3: SSLv3
    • 4: TLSv1
    • 5: TLSv1.2
    • 6: TLSv1.3

    The default value is 9 (generic TLS), which will allow the negotiation ofthe TLS version between the client and the server, dynamically choosing thehighest mutually supported version of TLS.

    Note that SSLv2 is unsupported as of ArangoDB 3.4, because of the inherent security vulnerabilities in this protocol. Selecting SSLv2 as protocol willabort the startup.

    SSL cache

    —ssl.session-cache value

    Set to true if SSL session caching should be used.

    value has a default value of false (i.e. no caching).

    —ssl.require-peer-certificate

    Require a peer certificate from the client before connecting.

    SSL options

    This option can be used to set various SSL-related options. Individual optionvalues must be combined using bitwise OR.

    Which options are available on your platform is determined by the OpenSSLversion you use. The list of options available on your platform might beretrieved by the following shell command:

    A description of the options can be found online in the

    —ssl.cipher-list cipher-list

    This option can be used to restrict the server to certain SSL ciphers only, andto define the relative usage preference of SSL ciphers.

    The format of cipher-list is documented in the OpenSSL documentation.

    To check which ciphers are available on your platform, you may use thefollowing shell command: