[CSHARP-2830] Investigate whether the driver can support the tlsCAFile option Created: 31/Oct/19  Updated: 09/Feb/22  Resolved: 09/Feb/22

Status: Closed
Project: C# Driver
Component/s: Configuration, Security
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Major - P3
Reporter: Vincent Kam (Inactive) Assignee: Unassigned
Resolution: Won't Fix Votes: 1
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

According to the uri options spec (https://github.com/mongodb/specifications/blob/master/source/uri-options/uri-options.rst), the tlsCAFile option is "required if the driver's language/runtime allows non-global configuration."

The driver may be able to support this option using some combination of `RemoteCertificateValidationDelegate` and the ExtraStore property: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chainpolicy.extrastore?view=netstandard-2.0

(The property is available on net452, but on .NET Standard requires 2.0)

Additional reading:
https://github.com/dotnet/corefx/issues/25581
https://github.com/dotnet/corefx/issues/36606
https://en.programqa.com/question/7695438/



 Comments   
Comment by James Kovacs [ 09/Feb/22 ]

We delegate a lot of our TLS support to SslStream and the .NET BCL (or underlying OS) performs the TLS handshake. If a user requires an alternate root CA, they must implement their own SslSettings.RemoteCertificateValidationCallback. We can revisit this decision in the future should there be enough demand for full tlsCAFile support.

Generated at Wed Feb 07 21:43:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.