The following drivers are feature compatible with MongoDB 4.0:
Java 3.8.0
Python 3.7.0
C 1.11.0
C# 2.7
Node 3.1.0
Ruby 2.6.0
Perl 2.0.0
PHPC 1.5.0
Scala 2.4.0
Security Add Support for SCRAM-SHA-256NOTE
To use SCRAM-SHA-256View FeatureCompatibilityVersion andsetFeatureCompatibilityVersion.
MongoDB adds support for SCRAMSCRAM-SHA-256, which uses the SHA-256 hash function. To modify the iteration count for SCRAM-SHA-256, MongoDB adds a new parameter scramSHA256IterationCount.
New Option for Create and Update User OperationsWhen creating or updating a SCRAM user, you can indicate the specific SCRAM mechanism or mechanisms to use for the user credentials. Specifically, MongoDB 4.0 adds the mechanisms option to the following commands and mongo shell helpers:
CommandMethodcreateUserdb.createUser()updateUserdb.updateUser()When using SCRAM-SHA-256, MongoDB (i.e. the server) requires undigested password. Starting in MongoDB 4.0, the default value of digestPassword is true for createUser, and the default value of passwordDigestor is "server". In earlier MongoDB versions, digestPassword is false and clientrespectively.
New Option for isMaster CommandStarting in MongoDB 4.0, the isMaster command accepts an optional field saslSupportedMechs:<db.user> to return an additional field isMaster.saslSupportedMechs in its result.
isMaster.saslSupportedMechs is an array of SASL mechanisms used to create the specified user’s credentials.
Remove Support for MONGODB-CRStarting in version 4.0, MongoDB removes support for the deprecated MongoDB Challenge-Response (MONGODB-CR) authentication mechanism.
Since version 3.0, MongoDB has not supported the creation of MONGODB-CR users unless the deployment had been upgraded from a 2.6 or earlier deployment that already had MONGODB-CR users and had not upgraded the authentication schema.
If your deployment has user credentials stored in MONGODB-CR schema, you must upgrade to Salted Challenge Response Authentication Mechanism (SCRAM)Upgrade to SCRAM.
usersInfo EnhancementThe usersInfo command can return information across all databases by specifying:
copycopied
{ usersInfo: { forAllDBs: true } }The usersInfo and the mongo shell helpers db.getUser() and db.getUsers() method accept a new optional filter document. The filter document specifies $match stage conditions to return information only for users that match the conditions.
The usersInfo command and the mongo shell helpers db.getUser() and db.getUsers() method return the mechanisms field for the user.
TLS 1.2MongoDB 4.0 binaries for macOS support TLS 1.2.
Disable TLS 1.0MongoDB binaries (mongod, mongos, and mongo) disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available.
If you need to support TLS 1.0:
For mongod instances, you can specify none to net.ssl.disabledProtocols or mongos instances, you can specify none to net.ssl.disabledProtocols or mongo shell, you can specify mongo shell in:
MongoDB version 4.0+MongoDB version 3.6.5+MongoDB version 3.4.15+On macOS, to connect mongo shell version 3.6.4 or earlier to a MongoDB 4.0+ deployment requires explicit enabling of TLS 1.0.
AES-GCMMongoDB Enterprise on Windows no longer supports AES256-GCM.
New Privilege ActionsTo support free Cloud monitoringcheckFreeMonitoringStatus
setFreeMonitoringMongoDB modifies the clusterMonitor role to include these privileges.
x.509 Authentication Certificate RestrictionsStarting in MongoDB 4.0, if you specify --sslAllowInvalidCertificates or ssl.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS/SSL connection but is insufficient for authentication.
If you are using invalid certificates to perform x.509 authentication, update your certificates to valid certificates. For example, you may sign your existing certificates with a trusted CA, or if using a custom CA, specify that CA using net.ssl.CAFile.
Enable System Store for SSL on Windows and MacThe certificateSelector setting) allows mongod, mongo shell and mongos to use system SSL certificate stores for Windows and Mac.
The clusterCertificateSelector setting) allowsmongod and mongos to use system SSL certificate stores for Windows and Mac for internal SSL communication within a cluster.