Transport Layer Security


Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are protocols designed to provide communication security over public networks. Users exchange a symmetric session key that is used to encrypt data exchanged between the parties.

By default, a FoundationDB cluster uses unencrypted connections among client and server processes. This document describes the Transport Layer Security (TLS) capabilities of FoundationDB, which enable security and authentication through a public/private key infrastructure. TLS is compiled into each FoundationDB binary. This document will describe the basic TLS capabilities of FoundationDB and document its implementation, which is based on LibreSSL. TLS-enabled servers will only communicate with other TLS-enabled servers and TLS-enabled clients. Therefore, a cluster’s machines must all enable TLS in order for TLS to be used.

Setting Up FoundationDB to use TLS

Enabling TLS in a new cluster

To set a new cluster to use TLS, use the -t flag on

user@host1$ sudo /usr/lib/foundationdb/ -t
/etc/foundationdb/fdb.cluster is now using address (TLS enabled)

This will configure the new cluster to communicate with TLS.


Depending on your operating system, version and configuration, there may be a firewall in place that prevents external access to certain ports. If necessary, please consult the appropriate documentation for your OS and ensure that all machines in your cluster can reach the ports configured in your configuration file.

Converting an existing cluster to use TLS (since v6.1)


Release 6.2 removed the “connected_coordinators” field from status.

Since version 6.1, FoundationDB clusters can be converted to TLS without downtime. FoundationDB server can listen to TLS and unencrypted traffic simultaneously on two separate ports. As a result, FDB clusters can live migrate to TLS:

  1. Restart each FoundationDB server individually, but with an additional listen address for TLS traffic:

    /path/to/fdbserver -C fdb.cluster -p -p

    Since, the server still listens to unencrypted traffic and the cluster file still contains the old address, rest of the processes will be able to talk to this new process.

  2. Once all processes are listening to both TLS and unencrypted traffic, switch one or more coordinator to use TLS. Therefore, if the old coordinator list was,,, the new one would be something like,, Switching few coordinators to TLS at a time allows a smoother migration and a window to find out clients who do not yet have TLS configured. The number of coordinators each client can connect to can be seen via fdbstatus (look for connected_coordinators field in clients):

    "clients" : {
        "count" : 2,
        "supported_versions" : [
                "client_version" : "6.1.0",
                "connected_clients" : [
                        "address" : "",
                        "connected_coordinators": 3,
                        "log_group" : "default"
                        "address" : "",
                        "connected_coordinators": 2,
                        "log_group" : "default"
            }, ...
  3. If there exist a client (e.g., the client in the above example) that cannot connect to all coordinators after a coordinator is switched to TLS, it mean the client does not set up its TLS correctly. System operator should notify the client to correct the client’s TLS configuration. Otherwise, when all coordinators are switched to TLS ports, the client will loose connection.

  4. Repeat (2) and (3) until all the addresses in coordinator list are TLS.

  5. Restart each FoundationDB server, but only with one public address that listens to TLS traffic only.

Converting an existing cluster to use TLS (< v6.1)

Enabling TLS on an existing (non-TLS) cluster cannot be accomplished without downtime because all processes must have TLS enabled to communicate. At startup, each server process enables TLS if the addresses in its cluster file are TLS-enabled. As a result, server processes must be stopped and restarted to convert them to use TLS. To convert the cluster to TLS in the most conservative way:

  1. Stop all FoundationDB clients and server processes in the cluster.

  2. Change all cluster files to have the :tls suffix for each coordinator.

  3. Restart the cluster and the clients.

Configuring TLS

The operation of TLS is configured through five settings. These settings can be provided as command-line options, client options, or environment variables, and are named as follows:

Command-line Option

Client Option

Environment Variable





Path to the file from which the local certificates can be loaded




Path to the file from which to load the private key




The byte-string for the verification of peer certificates and sessions




The byte-string representing the passcode for unencrypting the private key




Path to the file containing the CA certificates to trust

The value for each setting can be specified in more than one way. The actual valued used is determined in the following order:

  1. An explicitly specified value as a command-line option or client option, if one is given;

  2. The value of the environment variable, if one has been set;

  3. The default value

For the password, rather than using the command-line option, it is recommended to use the environment variable FDB_TLS_PASSWORD, as command-line options are more visible to other processes running on the same host.

As with all other command-line options to fdbserver, the TLS settings can be specified in the [fdbserver] section of the configuration file.

The settings for certificate file, key file, peer verification, password and CA file are interpreted by the software.

Default Values

Certificate file default location

The default behavior when the certificate or key file is not specified is to look for a file named fdb.pem in the current working directory. If this file is not present, an attempt is made to load a file from a system-dependent location as follows:

  • Linux: /etc/foundationdb/fdb.pem

  • macOS: /usr/local/etc/foundationdb/fdb.pem

  • Windows: C:\ProgramData\foundationdb\fdb.pem

Default Peer Verification

The default peer verification is Check.Valid=1.

Default Password

There is no default password. If no password is specified, it is assumed that the private key is unencrypted.


All files used by TLS must have sufficient read permissions such that the user running the FoundationDB server or client process can access them. It may also be necessary to have similar read permissions on the parent directories of the files used in the TLS configuration.

Automatic TLS certificate refresh

The TLS certificate will be automatically refreshed on a configurable cadence. The server will inspect the CA, certificate, and key files in the specified locations periodically, and will begin using the new versions if following criterion were met:

  • They are changed, judging by the last modified time.

  • They are valid certificates.

  • The key file matches the certificate file.

The refresh rate is controlled by --knob-tls-cert-refresh-delay-seconds. Setting it to 0 will disable the refresh.

The default LibreSSL-based implementation

FoundationDB offers TLS based on the LibreSSL library. By default, it will be enabled automatically when participating in a TLS-enabled cluster.

For TLS to operate, each process (both server and client) must have an X509 certificate, its corresponding private key, and the certificates with which it was signed. When a process begins to communicate with a FoundationDB server process, the peer’s certificate is checked to see if it is trusted and the fields of the peer certificate are verified. Peers must share the same root trusted certificate, and they must both present certificates whose signing chain includes this root certificate.

If the local certificate and chain is invalid, a FoundationDB server process bound to a TLS address will not start. In the case of invalid certificates on a client, the client will be able to start but will be unable to connect any TLS-enabled cluster.


LibreSSL can read certificates and their private keys in base64-encoded DER-formatted X.509 format (which is known as PEM). A PEM file can contain both certificates and a private key or the two can be stored in separate files.

Required files

A single file can contain the information as described in both of the following sections.

The certificate file

A file must be supplied that contains an ordered list of certificates. The first certificate is the process’ own certificate. Each following certificate must sign the one preceding it.

All but the last certificate are provided to peers during TLS handshake as the certificate chain.

The last certificate in the list is the trusted certificate.


If the certificate list contains only one certificate, that certificate must be self-signed and will be used as both the certificate chain and the trusted certificate.

Each of these certificates must be in the form:

--------BEGIN CERTIFICATE--------
--------END CERTIFICATE--------

The key file

The key file must contain the private key corresponding to the process’ own certificate. The private key must be in PKCS#8 format, which means that it must be surrounded by:


It can optionally be encrypted by the password provided to tls_password.

Certificate creation

If your organization already makes use of certificates for access control and securing communications, you should ask your security expert for organizational procedure for obtaining and verifying certificates. If the goal of enabling TLS is to make sure that only known machines can join or access the FoundationDB cluster and for securing communications, then creating your own certificates can serve these purposes.

The following set of commands uses the OpenSSL command-line tools to create a self-signed certificate and private key. The certificate is then joined with the private key in the output fdb.pem file:

user@host:> openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.crt
user@host:> cat cert.crt private.key > fdb.pem

Peer verification

A FoundationDB server or client will only communicate with peers that present a certificate chain that meets the verification requirements. By default, the only requirement is that the provided certificate chain ends in a certificate signed by the local trusted certificate.

Certificate field verification

With a peer verification string, FoundationDB servers and clients can adjust what is required of the certificate chain presented by a peer. These options can make the certificate requirements more rigorous or more lenient. You can specify multiple verification strings by providing additional tls_verify_peers command line arguments or concatenating them with |. All , or | in the verify peers fields should be escaped with \.

Turning down the validation

If the default checking of the certificate chain is too stringent, the verification string can contain settings to weaken what certificates are accepted.




Sets the current process to disable all further verification of a peer certificate.


Disables date checking of peer certificates. If the clocks in the cluster and between the clients and servers are not to be trusted, setting this value to 0 can allow communications to proceed.

Adding verification requirements

Requirements can be placed on the fields of the Issuer and Subject DNs in the peer’s own certificate. These requirements take the form of a comma-separated list of conditions. Each condition takes the form of field[<>]?=value. Only certain fields from a DN can be matched against.


Well known name


Common Name










Organizational Unit


Unique Identifier


Domain Component

The field of each condition may optionally have a DN prefix, which is otherwise considered to be for the Subject DN.



S., Subject., or none


I., or Issuer.


R., or Root.


Additionally, the verification can be restricted to certificates signed by a given root CA with the field Root.CN. This allows you to have different requirements for different root chains.

The value of a condition must be specified in a form derived from a subset of RFC 4514. Specifically, the “raw” notation (a value starting with the # character) is not accepted. Other escaping mechanisms, including specifying characters by hex notation, are allowed. The specified field’s value must exactly match the value in the peer’s certificate.

By default, the fields of a peer certificate’s DNs are not examined.

In addition to DNs, restrictions can be placed against X509 extensions. They are specified in the same fashion as DN requirements. The supported extensions are:


Well known name


Subject Alternative Name

Within a subject alternative name requirement, the value specified is required to have the form prefix:value, where the prefix specifies the type of value being matched against. The following prefixes are supported:


Well known name


Domain Name


Uniform Resource Identifier


IP Address


Email Address

The following operators are supported:


Match Type


Exact Match


Prefix Match


Suffix Match

Verification Examples

Let’s consider a certificate, whose abridged contents is:

        Version: 3 (0x2)
        Serial Number: 12938646789571341173 (0xb38f4eb406a5eb75)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team
        Subject: C=US, ST=California, L=Cupertino, O=Apple Inc., OU=FDB Team
        X509v3 extensions:
            X509v3 Subject Alternative Name:

A verification string of:

Check.Unexpired=0,I.C=US,C=US,S.O=Apple Inc.

Would pass, and:

  • Skip the check on all peer certificates that the certificate is not yet expired

  • Require that the Issuer has a Country field of US

  • Require that the Subject has a Country field of US

  • Require that the Subject has a Organization field of Apple Inc.

A verification string of:


Would pass, and:

  • Require that the Subject has an Organization field that starts with FDB

  • Require that the Subject has an Organization field that ends with Team

  • Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS with a value of

A verification string of:


Would pass, and:

  • Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS that begins with the value prod..

  • Require that the Subject has a Subject Alternative Name extension, which has one or more members of type DNS that ends with the value .org.