[CSHARP-4862] Enable TLS1.3 Support Created: 04/Dec/23 Updated: 11/Jan/24 Resolved: 11/Jan/24 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | Security |
| Affects Version/s: | None |
| Fix Version/s: | 2.24.0 |
| Type: | New Feature | Priority: | Unknown |
| Reporter: | James Kovacs | Assignee: | James Kovacs |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Documentation Changes: | Not Needed |
| Documentation Changes Summary: | 1. What would you like to communicate to the user about this feature? |
| Description |
|
The SslStreamFactory uses SslStreamSettings to enable TLS1.2, 1.1, and 1.0 by default:
It notably does not enable TLS1.3 support because TLS1.3 support was added in .NET 5. (It is available in netcoreapp3.1 but not netstandard2.1.) We need to add support for .NET 5 and enable TLS1.3 by default. We should also remove support for TLS1.0 and 1.1 by default as they have known vulnerabilities. Another possibility is to use SslProtocols.None, which allows the operating system to choose the best protocol to use and to block protocols that are not secure. Microsoft recommends this setting unless your app has a specific reason not to. We should consider the pros and cons of explicitly enabling protocols versus deferring to the operating system. For current users of the driver, they can opt into TLS1.3 via:
|
| Comments |
| Comment by James Kovacs [ 12/Dec/23 ] |
|
I was able to opt into TLS1.3 by adding (SslProtocols)12288 to the flags value for the enabled protocols. We cannot use SslProtocols.Tls13 directly because it isn't available until the net5.0 TFM. This should be available in the next release of the driver. Until such time, the driver can be configured externally to use TLS1.3 as demonstrated in the ticket description. |
| Comment by Diana Annie Jenosh [ 11/Dec/23 ] |
|
Hi James, Do we have any timelines/ high level roadmap as to when the TLS 1.3 support will be added to the MongoDB .NET driver? This is for Microsoft team who are building the MongoDB connector in Azure Data Factory/ Microsoft Fabric. Not having a TLS 1.3 support is a security issue per them. Thanks in advance! Regards, Diana |