[CSHARP-4862] Enable TLS1.3 Support Created: 04/Dec/23  Updated: 11/Jan/24  Resolved: 11/Jan/24

Status: Closed
Project: C# Driver
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.24.0

Type: New Feature Priority: Unknown
Reporter: James Kovacs Assignee: James Kovacs
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Documentation Changes: Not Needed
Documentation Changes Summary:

1. What would you like to communicate to the user about this feature?
2. Would you like the user to see examples of the syntax and/or executable code and its output?
3. Which versions of the driver/connector does this apply to?


 Description   

The SslStreamFactory uses SslStreamSettings to enable TLS1.2, 1.1, and 1.0 by default:

_enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls);

It notably does not enable TLS1.3 support because TLS1.3 support was added in .NET 5. (It is available in netcoreapp3.1 but not netstandard2.1.) We need to add support for .NET 5 and enable TLS1.3 by default. We should also remove support for TLS1.0 and 1.1 by default as they have known vulnerabilities.

Another possibility is to use SslProtocols.None, which allows the operating system to choose the best protocol to use and to block protocols that are not secure. Microsoft recommends this setting unless your app has a specific reason not to. We should consider the pros and cons of explicitly enabling protocols versus deferring to the operating system.

For current users of the driver, they can opt into TLS1.3 via:

const string MONGODB_URI = "<<YOUR CONNECTION STRING>>";
var settings = MongoClientSettings.FromConnectionString(MONGODB_URI);
settings.SslSettings.EnabledSslProtocols = SslProtocols.Tls13;
var client = new MongoClient(settings);



 Comments   
Comment by James Kovacs [ 12/Dec/23 ]

I was able to opt into TLS1.3 by adding (SslProtocols)12288 to the flags value for the enabled protocols. We cannot use SslProtocols.Tls13 directly because it isn't available until the net5.0 TFM. This should be available in the next release of the driver. Until such time, the driver can be configured externally to use TLS1.3 as demonstrated in the ticket description.

Comment by Diana Annie Jenosh [ 11/Dec/23 ]

Hi James,

    Do we have any timelines/ high level roadmap as to when the TLS 1.3 support will be added to the MongoDB .NET driver? This is for Microsoft team who are building the MongoDB connector in Azure Data Factory/ Microsoft Fabric. Not having a TLS 1.3 support is a security issue per them. 

Thanks in advance!

Regards,

Diana

Generated at Wed Feb 07 21:49:36 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.