SSL
The driver supports SSL connections to MongoDB servers using the underlying support for SSL provided by the .NET Framework. The driver takes a Network Stream
and wraps it with an SslStream
. You can configure the use of SSL with the connection string or with MongoClientSettings
.
Connection String
The connection string provides 2 options:
?ssl=true|false
You can turn on SSL using this option, or explicitly turn it off. The default isfalse
.?sslVerifyCertificate=true|false
You can turn off automatic certificate verification using this option. The default istrue
.warning
This option should not be set tofalse
in production. It is important that the server certificate is properly validated.
MongoClientSettings
MongoClientSettings
provides a much fuller and robust solution for configuring SSL. It contains the SslSettings
property which allows the setting of various values. Each of these values will map very strongly to their counterpart in the SslStream constructor
and the AuthenticateAsClient
method. For example, to authenticate with a client certificate called “client.pfx”:
var cert = new X509Certificate2("client.pfx", "mySuperSecretPassword");
var settings = new MongoClientSettings
{
SslSettings = new SslSettings
{
ClientCertificates = new[] { cert },
},
UseSsl = true
};
important
It is imperative that when loading a certificate with a password, the PrivateKey property not be null. If the property is null, it means that your certificate does not contain the private key and will not be passed to the server.Certificate Revocation Checking
The .NET Driver now disables certificate revocation checking by default, setting CheckCertificateRevocation
in SslSettings
to false
by default. Any applications relying on the older default of true
now must explicitly set CheckCertificateRevocation
to true
in SslSettings
to re-enable certificate revocation checking.
Prior to v2.7.0, the driver enabled certificate revocation checking by default, in contrast to the mongo
shell and other MongoDB drivers. This was also in contrast to .NET’s defaults for SslStream
(see .NET Framework documentation here and .NET Standard documentation here).
TLS support
Overview
OS | .NET Version | TLS1.1 | TLS1.2 | SNI | CRLs without OCSP |
---|---|---|---|---|---|
Windows | |||||
.NET Framework 4.5 | Yes | Yes | Yes | Yes | |
.NET Framework 4.6 | Yes | Yes | Yes | Yes | |
.NET Framework 4.7 | Yes | Yes | Yes | Yes | |
.NET Core 1.0 | Yes | Yes | Yes | Yes | |
.NET Core 1.1 | Yes | Yes | Yes | Yes | |
.NET Core 2.0 | Yes | Yes | Yes | Yes | |
.NET Core 2.1 | Yes | Yes | Yes | Yes | |
Linux | |||||
.NET Core 1.0 | Yes | Yes | No | Yes | |
.NET Core 1.1 | Yes | Yes | No | Yes | |
.NET Core 2.0 | Yes | Yes | No | Yes | |
.NET Core 2.1 | Yes | Yes | Yes | Yes | |
OSX | |||||
.NET Core 1.0 | Yes | Yes | No | Yes | |
.NET Core 1.1 | Yes | Yes | No | Yes | |
.NET Core 2.0 | Yes | Yes | Yes | No | |
.NET Core 2.1 | Yes | Yes | Yes | No |
Notes
- SNI (Server Name Indication) is required for Atlas free tier.
.NET Core on OSX will fail to connect if both of the following conditions are met: (1) certificate revocation checking is enabled, and (2) a server’s certificate includes Certificate Revocation List (CRL) Distribution Points but does not include an Online Certificate Status Protocol (OCSP) extension.
- This is due to a limitation of the Apple Security Framework (see https://github.com/dotnet/corefx/issues/29064). Prior to version 2.0, .NET Core on OSX used OpenSSL, which does support CRLs without OCSP.
- Connecting to Atlas on OSX with certificate revocation checking enabled will succeed since Atlas certificates include CRL Distribution Points as well as an OCSP extension.
Support for TLS v1.1 and newer
Industry best practices recommend, and some regulations require, the use of TLS 1.1 or newer. No application changes are required for the driver to make use of the newest TLS protocols.