-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathtls.txt
245 lines (170 loc) · 8.39 KB
/
tls.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
.. _csharp-tls:
==========================
Enable TLS on a Connection
==========================
.. meta::
:description: Learn how to enable TLS/SSL for MongoDB connections using .NET/C# Driver, configure client certificates, and manage secure and insecure TLS settings.
.. contents:: On this page
:local:
:backlinks: none
:depth: 2
:class: singlecol
Overview
--------
In this guide, you can learn how to connect to MongoDB instances with the
:wikipedia:`TLS/SSL <Transport_Layer_Security>`
security protocol using the underlying TLS/SSL support in the {+framework+}. To
configure your connection to use TLS/SSL, enable the TLS/SSL settings in either
the :ref:`connection string <csharp-connection-uri>` or
:ref:`MongoClientSettings <csharp-mongo-client-settings>`.
.. important:: TLS 1.2
The {+driver-short+} supports only TLS 1.2 or higher.
.. _csharp-tls-enable:
Enable TLS
----------
By default, TLS is disabled when connecting to MongoDB instances. You can enable TLS
for the connection to your MongoDB instance in two different ways: using a property
on a ``MongoClientSettings`` object or through a parameter in your connection string.
.. note::
If you connect by using the DNS seedlist protocol, the driver enables
TLS/SSL by default. To disable it, set the ``tls`` or ``ssl`` parameter value to
``false`` in your connection string or ``MongoClientSettings`` instance.
To learn more about connection behavior when you use a DNS seedlist,
see the :manual:`SRV Connection Format </reference/connection-string/#srv-connection-format>`
section in the Server manual.
.. tabs::
.. tab:: MongoClientSettings
:tabid: mongoclientsettings
To enable TLS with a ``MongoClientSettings`` object, set the ``UseTls`` property
to ``true``:
.. code-block:: csharp
var settings = new MongoClientSettings { UseTls = true };
var client = new MongoClient(settings);
.. tab:: Connection String
:tabid: connectionstring
To enable TLS with a connection string, assign the
parameter ``tls`` a value of ``true`` in the connection string passed to the
``MongoClient`` constructor:
.. code-block:: csharp
var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>:<port>?tls=true");
Configure a Client Certificate
------------------------------
You can configure your X.509 certificate using ``MongoClientSettings``. The following
code sample creates a new X.509 certificate object using the certificate file named
``client.p12``, which is protected by the password ``mySuperSecretPassword``. The code
then adds this certificate to the ``SslSettings.ClientCertificates`` array in
``MongoClientSettings``.
.. code-block:: csharp
var cert = new X509Certificate2("client.p12", "mySuperSecretPassword");
var settings = new MongoClientSettings
{
SslSettings = new SslSettings
{
ClientCertificates = new[] { cert }
},
UseTls = true
};
.. important::
When loading a certificate with a password, the certificate object must contain a private
key. If it doesn't, your certificate will not be passed to the server.
Allow Insecure TLS
------------------
When TLS is enabled, the {+driver-short+} automatically verifies the certificate that
the server presents. When testing your code, you can disable certificate verification.
This is known as *insecure TLS.*
When using insecure TLS, the only requirement is that the server present an X.509
certificate. The driver will accept a certificate even if any of the following are true:
- The hostname of the server and the subject name (or subject alternative name)
on the certificate don't match.
- The certificate is expired or not yet valid.
- The certificate doesn't have a trusted root certificate in the chain.
- The certificate purpose isn't valid for server identification.
You can allow insecure TLS in two different ways: using a property on a
``MongoClientSettings`` object or through a parameter in your connection string.
.. tabs::
.. tab:: MongoClientSettings
:tabid: mongoclientsettings
To allow insecure TLS with a ``MongoClientSettings``
object, set the ``AllowInsecureTls`` property to ``true``:
.. code-block:: csharp
:emphasize-lines: 4
var settings = new MongoClientSettings
{
UseTls = true,
AllowInsecureTls = true
};
var client = new MongoClient(settings);
.. tab:: Connection String
:tabid: connectionstring
To allow insecure TLS using a connection string,
assign the connection string parameter ``tlsInsecure`` a value of ``true``:
.. code-block:: csharp
var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>:<port>?tls=true&tlsInsecure=true");
.. warning::
Always set this option to ``false`` in production. For security reasons, it's
important that the server certificate is properly validated.
.. _tls_configure-certificates:
Check Certificate Revocation
----------------------------
When an X.509 certificate should no longer be trusted--for example, if its private key
has been compromised--the certificate authority will revoke the certificate.
By default, the {+driver-short+} doesn't check whether a server's certificate has been
revoked before it connects. You can enable revocation checking using either
``MongoClientSettings`` or the connection string.
.. tabs::
.. tab:: MongoClientSettings
:tabid: mongoclientsettings
To enable revocation checking using ``MongoClientSettings``, set
``SslSettings.CheckCertificateRevocation`` to ``true``:
.. code-block:: csharp
:emphasize-lines: 5
var settings = new MongoClientSettings
{
SslSettings = new SslSettings
{
CheckCertificateRevocation = true
},
UseTls = true
};
.. tab:: Connection String
:tabid: connectionstring
To enable revocation checking using a connection string,
assign the connection string parameter ``tlsDisableCertificateRevocationCheck``
a value of ``false``:
.. code-block:: csharp
var mongoClient = new MongoClient("mongodb://<db_username>:<db_password>@<hostname>:<port>?tls=true&tlsDisableCertificateRevocationCheck=false");
.. note::
The {+driver-short+} doesn't check revocation by default because this is the default
behavior of the ``SslStream`` class in both the
`{+framework+} <https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-{+framework-version+}#System_Net_Security_SslStream_AuthenticateAsClient_System_String_>`__
and the `.NET standard. <https://learn.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netstandard-{+standard-version+}#System_Net_Security_SslStream_AuthenticateAsClient_System_String_>`__
Revocation Checking by Operating System
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The {+driver-short+} supports the following revocation-checking mechanisms differently on
Windows, macOS, and Linux:
- :wikipedia:`Online Certificate Status Protocol (OCSP) <Online_Certificate_Status_Protocol>`,
a common mechanism for checking revocation
- :wikipedia:`OCSP stapling <OCSP_stapling>`, a mechanism in which the server
includes a time-stamped OCSP response to the client along with the certificate
- :wikipedia:`Certificate revocation lists (CRLs), <Certificate_revocation_list>`,
an alternative to OCSP
Windows
```````
On Windows, the {+driver-short+} supports OCSP, OCSP stapling, and CRLs without OCSP,
in both the .NET Framework and .NET Core.
.. warning::
On Windows, the {+driver-short+} will report a "hard fail" and cancel the TLS
handshake if the OCSP responder is unavailable. Other operating systems and drivers
will report a "soft fail" and continue connecting.
macOS
`````
On macOS, the {+driver-short+} supports OCSP and OCSP stapling.
Beginning with .NET Core 2.0, the driver does **not** support CRLs without OCSP.
Linux
`````
On Linux, the {+driver-short+} supports OCSP, OCSP stapling, and CRLs without OCSP.
API Documentation
-----------------
To learn more about any of the connection options discussed in this
guide, see the following API documentation:
- `MongoClientSettings <{+new-api-root+}/MongoDB.Driver/MongoDB.Driver.MongoClientSettings.html>`__