Release Notes for MongoDB 4.0 - MongoDB Drivers & Security

  • 管理員

    MongoDB Drivers

    The following drivers are feature compatible with MongoDB 4.0:

    Java 3.8.0

    Python 3.7.0

    C 1.11.0

    C# 2.7

    Node 3.1.0

    Ruby 2.6.0

    Perl 2.0.0

    PHPC 1.5.0

    Scala 2.4.0


    Add Support for SCRAM-SHA-256


    To use SCRAM-SHA-256View FeatureCompatibilityVersion andsetFeatureCompatibilityVersion.

    MongoDB adds support for SCRAMSCRAM-SHA-256, which uses the SHA-256 hash function. To modify the iteration count for SCRAM-SHA-256, MongoDB adds a new parameter scramSHA256IterationCount.

    New Option for Create and Update User Operations

    When creating or updating a SCRAM user, you can indicate the specific SCRAM mechanism or mechanisms to use for the user credentials. Specifically, MongoDB 4.0 adds the mechanisms option to the following commands and mongo shell helpers:


    When using SCRAM-SHA-256, MongoDB (i.e. the server) requires undigested password. Starting in MongoDB 4.0, the default value of digestPassword is true for createUser, and the default value of passwordDigestor is "server". In earlier MongoDB versions, digestPassword is false and clientrespectively.

    New Option for isMaster Command

    Starting in MongoDB 4.0, the isMaster command accepts an optional field saslSupportedMechs:<db.user> to return an additional field isMaster.saslSupportedMechs in its result.

    isMaster.saslSupportedMechs is an array of SASL mechanisms used to create the specified user’s credentials.

    Remove Support for MONGODB-CR

    Starting in version 4.0, MongoDB removes support for the deprecated MongoDB Challenge-Response (MONGODB-CR) authentication mechanism.

    Since version 3.0, MongoDB has not supported the creation of MONGODB-CR users unless the deployment had been upgraded from a 2.6 or earlier deployment that already had MONGODB-CR users and had not upgraded the authentication schema.

    If your deployment has user credentials stored in MONGODB-CR schema, you must upgrade to Salted Challenge Response Authentication Mechanism (SCRAM)Upgrade to SCRAM.

    usersInfo Enhancement

    The usersInfo command can return information across all databases by specifying:


    { usersInfo: { forAllDBs: true } }

    The usersInfo and the mongo shell helpers db.getUser() and db.getUsers() method accept a new optional filter document. The filter document specifies $match stage conditions to return information only for users that match the conditions.

    The usersInfo command and the mongo shell helpers db.getUser() and db.getUsers() method return the mechanisms field for the user.

    TLS 1.2

    MongoDB 4.0 binaries for macOS support TLS 1.2.

    Disable TLS 1.0

    MongoDB binaries (mongodmongos, and mongo) disables support for TLS 1.0 encryption on systems where TLS 1.1+ is available.

    If you need to support TLS 1.0:

    On macOS, to connect mongo shell version 3.6.4 or earlier to a MongoDB 4.0+ deployment requires explicit enabling of TLS 1.0.


    MongoDB Enterprise on Windows no longer supports AES256-GCM.

    New Privilege Actions

    To support free Cloud monitoringcheckFreeMonitoringStatus

  • setFreeMonitoring
  • MongoDB modifies the clusterMonitor role to include these privileges.

    x.509 Authentication Certificate Restrictions

    Starting in MongoDB 4.0, if you specify --sslAllowInvalidCertificates or ssl.allowInvalidCertificates: true when using x.509 authentication, an invalid certificate is only sufficient to establish a TLS/SSL connection but is insufficient for authentication.

    If you are using invalid certificates to perform x.509 authentication, update your certificates to valid certificates. For example, you may sign your existing certificates with a trusted CA, or if using a custom CA, specify that CA using net.ssl.CAFile.

    Enable System Store for SSL on Windows and Mac

    The certificateSelector setting) allows mongodmongo shell and mongos to use system SSL certificate stores for Windows and Mac.

    The clusterCertificateSelector setting) allowsmongod and mongos to use system SSL certificate stores for Windows and Mac for internal SSL communication within a cluster.


与 萌阔论坛 的连接断开,我们正在尝试重连,请耐心等待