[CSHARP-3692] Backport disabling of certificate revocation checking by default Created: 27/May/21  Updated: 28/May/21  Resolved: 28/May/21

Status: Closed
Project: C# Driver
Component/s: Configuration, Security
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Unknown
Reporter: Jeffrey Yemin Assignee: Rachelle Palmer
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

It's a continuing problem for users that older driver releases default to enabling of certificate revocation checking by default.

This ticket is intended to track the work to backport the change made in the 2.7.0 release in scope of CSHARP-2279 to earlier releases of the driver.

While it's unusual to change defaults like this in a patch release, especially around security, in practice this might be the least of evils, as it's causing continuing pain whenever LetsEncrypt has an outage. As of today, LetsEncrypt has had 21 service disruptions YTD.

One open question is how many releases to backport the change to. The setting, defaulting to true, was introduced all the way back in the 1.8 release (9 years ago)



 Comments   
Comment by Rachelle Palmer [ 28/May/21 ]

We have decided not to fix this issue by making it available in older versions of the driver as there is a fairly trivial workaround outlined below. However we encourage all users to avoid any impact on application availability, and upgrade your MongoDB .NET driver to version 2.7 or newer when possible.

If you cannot upgrade to the .NET driver version 2.7 or later, the same behavior can be achieved with the instructions below:

For .NET driver versions >=1.8 but < 2.0, the fix looks like this:

var connectionString = "mongodb://localhost";  // replace localhost with atlas cluster connection string
var settings = MongoClientSettings.FromUrl(new MongoUrl(connectionString));
settings.SslSettings = new SslSettings();
settings.SslSettings.CheckCertificateRevocation = false;
settings.SslSettings.EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls11 | System.Security.Authentication.SslProtocols.Tls12;
var client = new MongoClient(settings);

For .NET driver versions 2.0 through 2.6.1, the fix looks like this:

var settings = MongoClientSettings.FromConnectionString("mongodb://localhost"); //replace localhost with atlas cluster connection string
settings.SslSettings = new SslSettings();
settings.SslSettings.CheckCertificateRevocation = false;
var client = new MongoClient(settings);

Generated at Wed Feb 07 21:46:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.