ArangoDB Server SSL Options

    Given an IPv4 address:

    --server.endpoint ssl://ipv4-address:port

    Given an IPv6 address:

    --server.endpoint ssl://[ipv6-address]:port

    Note: If you are using SSL-encrypted endpoints, you must also supply the path to a server certificate using the --ssl.keyfile option.

    --ssl.keyfile filename

    If SSL encryption is used, this option must be used to specify the filename of the server private key. The file must be PEM formatted and contain both the certificate and the server’s private key.

    The file specified by filename can be generated using OpenSSL:

    You may use certificates issued by a Certificate Authority or self-signed certificates. Self-signed certificates can be created by a tool of your choice. When using OpenSSL for creating the self-signed certificate, the following commands should create a valid keyfile:

    For further information please check the manuals of the tools you use to create the certificate.

    Server Name Indication (SNI)

    Introduced in: v3.7.0

    This feature is controlled with the startup option:

    --ssl.server-name-indication

    … which can be given multiple times and for which each value must be a string , where SERVERNAME is replaced by a server name and KEYFILENAME is replaced by the file name of the key file to be used for that server name. The format of the key file is identical to the one used for the --ssl.keyfile option described in the previous section. The key file used by default is the one in the --ssl.keyfile option, and only if there is an exact match between one server name given with --ssl.server-name-indication and the one in the handshake, the server switches to the alternative key file.

    This option can be used to specify a file with CA certificates that are sent to the client whenever the server requests a client certificate. If the file is specified, The server will only accept client requests with certificates issued by these CAs. Do not specify this option if you want clients to be able to connect without specific certificates.

    The certificates in filename must be PEM formatted.

    SSL protocol

    --ssl.protocol value

    Use this option to specify the default encryption protocol to be used. The following variants are available:

    • 2: SSLv2 or SSLv3 (negotiated)
    • 3: SSLv3
    • 4: TLSv1
    • 5: TLSv1.2
    • 9: generic TLS (negotiated)

    The default value is 9 (generic TLS), which will allow the negotiation of the TLS version between the client and the server, dynamically choosing the highest mutually supported version of TLS.

    Note that SSLv2 is unsupported as of ArangoDB 3.4, because of the inherent security vulnerabilities in this protocol. Selecting SSLv2 as protocol will abort the startup.

    --ssl.session-cache value

    Set to true if SSL session caching should be used.

    SSL peer certificate

    This option is only available in the .

    --ssl.require-peer-certificate

    Require a peer certificate from the client before connecting.

    --ssl.options value

    This option can be used to set various SSL-related options. Individual option values must be combined using bitwise OR.

    Which options are available on your platform is determined by the OpenSSL version you use. The list of options available on your platform might be retrieved by the following shell command:

    A description of the options can be found online in the OpenSSL documentation

    SSL cipher

    --ssl.cipher-list cipher-list

    This option can be used to restrict the server to certain SSL ciphers only, and to define the relative usage preference of SSL ciphers.

    The format of cipher-list is documented in the OpenSSL documentation.

    To check which ciphers are available on your platform, you may use the following shell command:

    The default value for cipher-list is “ALL”.