[CSHARP-3564] .NET 5.0 on Linux fails to connect to MongoDB 4.0 Atlas Created: 09/Apr/21 Updated: 28/Oct/23 Resolved: 13/Jan/22 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | Connectivity, Documentation |
| Affects Version/s: | None |
| Fix Version/s: | 2.15.0 |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | James Kovacs | Assignee: | James Kovacs |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | size-xsmall | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Case: | (copied to CRM) | ||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Description |
|
.NET 5.0 app running on Linux cannot connect to MongoDB 4.0 on Atlas. It fails with the following exception:
The same app running on .NET Core 3.1 can connect successfully to MongoDB 4.0 on Atlas. The same app running on .NET 5.0 can connect successfully to MongoDB 4.2 or later on Atlas. |
| Comments |
| Comment by James Kovacs [ 01/Feb/22 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
This change will be included with 2.15.0. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Githook User [ 01/Feb/22 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}Message: Revert " This reverts commit 873fa6c13edfc745437566440738a6f24a14b6a8. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Githook User [ 31/Jan/22 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}Message: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by Githook User [ 13/Jan/22 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Author: {'name': 'James Kovacs', 'email': 'jkovacs@post.harvard.edu', 'username': 'JamesKovacs'}Message: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by James Kovacs [ 12/Apr/21 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
Re-opening and changing the task to document this behaviour in: We should add a new section on troubleshooting TLS/SSL ciphers, especially the information on the changes Microsoft introduced in .NET 5.0. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Comment by James Kovacs [ 09/Apr/21 ] | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
The root cause of the problem is a cipher suite mismatch. MongoDB 4.0 running on Atlas only supports RSA ciphers for key exchange:
Whereas MongoDB 4.2+ running on Atlas also supports ECDHE ciphers for key exchange:
In .NET Core 3.1 and earlier, any cipher suite supported by OpenSSL could be used for key exchange including both RSA and ECDHE. In .NET 5.0, Microsoft hardened the default TLS configuration to only allow ECDHE ciphers for key exchange. If you explicitly configure OpenSSL to allow the RSA cipher for key exchange, .NET 5.0 will respect it, but it will not use it by default. You can find out more in Default TLS cipher suites for .NET on Linux. Options: 1. Explicitly configure OpenSSL on your Linux app servers to allow RSA ciphers.
Note that simply upgrading your MongoDB 4.0 Atlas cluster will not necessarily reprovision your hosts and thus your upgraded cluster may still only be using RSA for key exchange. Please contact our Support Team if you require assistance with reprovisioning your Atlas cluster to support ECDHE. |