@@ -16,6 +16,14 @@ command::
1616
1717 $ python -m pip install pymongo[tls]
1818
19+ Starting with PyMongo 3.11 this installs `PyOpenSSL
20+ <https://pypi.org/project/pyOpenSSL/> `_, `requests `_
21+ and `service_identity
22+ <https://pypi.org/project/service_identity/> `_
23+ for users of Python versions older than 2.7.9. PyOpenSSL supports SNI for these
24+ old Python versions allowing applictions to connect to Altas free and shared
25+ tier instances.
26+
1927Earlier versions of PyMongo require you to manually install the dependencies
2028listed below.
2129
@@ -103,8 +111,9 @@ Specifying a CA file
103111....................
104112
105113In some cases you may want to configure PyMongo to use a specific set of CA
106- certificates. This is most often the case when using "self-signed" server
107- certificates. The `ssl_ca_certs ` option takes a path to a CA file. It can be
114+ certificates. This is most often the case when you are acting as your own
115+ certificate authority rather than using server certificates signed by a well
116+ known authority. The `ssl_ca_certs ` option takes a path to a CA file. It can be
108117passed as a keyword argument::
109118
110119 >>> client = pymongo.MongoClient('example.com',
@@ -132,6 +141,8 @@ Or, in the URI::
132141 >>> uri = 'mongodb://example.com/?ssl=true&ssl_crlfile=/path/to/crl.pem'
133142 >>> client = pymongo.MongoClient(uri)
134143
144+ .. note :: Certificate revocation lists and :ref:`OCSP` cannot be used together.
145+
135146Client certificates
136147...................
137148
@@ -162,12 +173,37 @@ to decrypt encrypted private keys. Use the `ssl_pem_passphrase` option::
162173
163174These options can also be passed as part of the MongoDB URI.
164175
176+ .. _OCSP :
177+
178+ OCSP
179+ ....
180+
181+ Starting with PyMongo 3.11, if PyMongo was installed with the "ocsp" extra::
182+
183+ python -m pip install pymongo[ocsp]
184+
185+ certificate revocation checking is enabled by way of `OCSP (Online Certification
186+ Status Protocol) <https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol> `_.
187+ MongoDB 4.4+ `staples OCSP responses <https://en.wikipedia.org/wiki/OCSP_stapling >`_
188+ to the TLS handshake which PyMongo will verify, failing the TLS handshake if
189+ the stapled OCSP response is invalid or indicates that the peer certificate is
190+ revoked.
191+
192+ When connecting to a server version older than 4.4, or when a 4.4+ version of
193+ MongoDB does not staple an OCSP response, PyMongo will attempt to connect
194+ directly to an OCSP endpoint if the peer certificate specified one. The TLS
195+ handshake will only fail in this case if the response indicates that the
196+ certificate is revoked. Invalid or malformed responses will be ignored,
197+ favoring availability over maximum security.
198+
199+
165200Troubleshooting TLS Errors
166201..........................
167202
168- TLS errors often fall into two categories, certificate verification failure or
169- protocol version mismatch. An error message similar to the following means that
170- OpenSSL was not able to verify the server's certificate::
203+ TLS errors often fall into three categories - certificate verification failure,
204+ protocol version mismatch or certificate revocation checking failure. An error
205+ message similar to the following means that OpenSSL was not able to verify the
206+ server's certificate::
171207
172208 [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
173209
@@ -200,3 +236,9 @@ TLS protocols be disabled in some MongoDB deployments. Some deployments may
200236disable TLS 1.0, others may disable TLS 1.0 and TLS 1.1. See the warning
201237earlier in this document for troubleshooting steps and solutions.
202238
239+ An error message similar to the following message means that certificate
240+ revocation checking failed::
241+
242+ [('SSL routines', 'tls_process_initial_server_flight', 'invalid status response')]
243+
244+ See :ref: `OCSP ` for more details.
0 commit comments