[CSHARP-2830] Investigate whether the driver can support the tlsCAFile option Created: 31/Oct/19 Updated: 09/Feb/22 Resolved: 09/Feb/22 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | Configuration, Security |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Vincent Kam (Inactive) | Assignee: | Unassigned |
| Resolution: | Won't Fix | Votes: | 1 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
According to the uri options spec (https://github.com/mongodb/specifications/blob/master/source/uri-options/uri-options.rst), the tlsCAFile option is "required if the driver's language/runtime allows non-global configuration." The driver may be able to support this option using some combination of `RemoteCertificateValidationDelegate` and the ExtraStore property: https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509chainpolicy.extrastore?view=netstandard-2.0 (The property is available on net452, but on .NET Standard requires 2.0) Additional reading: |
| Comments |
| Comment by James Kovacs [ 09/Feb/22 ] |
|
We delegate a lot of our TLS support to SslStream and the .NET BCL (or underlying OS) performs the TLS handshake. If a user requires an alternate root CA, they must implement their own SslSettings.RemoteCertificateValidationCallback. We can revisit this decision in the future should there be enough demand for full tlsCAFile support. |