CSHARP-2279: Disable certificate revocation checking by default

Author: vincentkam

Release Notes/Release Notes v2.7.0.md

@@ -5,18 +5,18 @@
 
 An online version of these release notes is available at:
 
-https://github.com/mongodb/mongo-csharp-driver/blob/master/Release%20Notes/Release%20Notes%20v2.7.0.md
+<https://github.com/mongodb/mongo-csharp-driver/blob/master/Release%20Notes/Release%20Notes%20v2.7.0.md>
 
 The full list of JIRA issues that are currently scheduled to be resolved in this release is available at:
 
-https://jira.mongodb.org/issues/?jql=project%20%3D%20CSHARP%20AND%20fixVersion%20%3D%202.7.0%20ORDER%20BY%20key%20ASC
+<https://jira.mongodb.org/issues/?jql=project%20%3D%20CSHARP%20AND%20fixVersion%20%3D%202.7.0%20ORDER%20BY%20key%20ASC>
 
 The list may change as we approach the release date.
 
 Documentation on the .NET driver can be found at:
 
-http://mongodb.github.io/mongo-csharp-driver/
+<http://mongodb.github.io/mongo-csharp-driver/>
 
-Upgrading
-
-There are no known backwards breaking changes in this release.
+## Upgrading
+* The .NET Driver now **disables** certificate revocation checking by default, setting `CheckCertificateRevocation` in `SslSettings` to `false` by default. Any applications relying on the older default of `true` now must explicitly set `CheckCertificateRevocation` to `true` in in `SslSettings` to re-enable certificate revocation checking.
+ * Previously, the driver enabled certificate revocation checking by default, in contrast to the `mongo` shell and other MongoDB drivers. This was also in contrast to .NET's defaults for `SslStream` (see .NET Framework documentation [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-4.7.2#System_Net_Security_SslStream_AuthenticateAsClient_System_String_) and .NET Standard documentation [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netstandard-2.0#System_Net_Security_SslStream_AuthenticateAsClient_System_String_)).

src/MongoDB.Driver.Core/Core/Configuration/SslStreamSettings.cs

@@ -50,7 +50,7 @@ public SslStreamSettings(
             Optional<SslProtocols> enabledProtocols = default(Optional<SslProtocols>),
             Optional<RemoteCertificateValidationCallback> serverCertificateValidationCallback = default(Optional<RemoteCertificateValidationCallback>))
         {
-            _checkCertificateRevocation = checkCertificateRevocation.WithDefault(true);
+            _checkCertificateRevocation = checkCertificateRevocation.WithDefault(false);
             _clientCertificates = Ensure.IsNotNull(clientCertificates.WithDefault(Enumerable.Empty<X509Certificate>()), "clientCertificates").ToList();
             _clientCertificateSelectionCallback = clientCertificateSelectionCallback.WithDefault(null);
             _enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls);

src/MongoDB.Driver/SslSettings.cs

@@ -34,7 +34,7 @@ public class SslSettings : IEquatable<SslSettings>
         private static readonly IEqualityComparer<X509CertificateCollection> __certificateCollectionEqualityComparer = new X509CertificateCollectionEqualityComparer();
 
         // private fields
-        private bool _checkCertificateRevocation = true;
+        private bool _checkCertificateRevocation = false;
         private X509CertificateCollection _clientCertificateCollection;
         private LocalCertificateSelectionCallback _clientCertificateSelectionCallback;
         private SslProtocols _enabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;

tests/MongoDB.Driver.Core.Tests/Core/Configuration/SslStreamSettingsTests.cs

@@ -31,7 +31,7 @@ public void constructor_should_initialize_instance()
         {
             var subject = new SslStreamSettings();
 
-            subject.CheckCertificateRevocation.Should().BeTrue();
+            subject.CheckCertificateRevocation.Should().BeFalse();
             subject.ClientCertificates.Should().BeEmpty();
             subject.ClientCertificateSelectionCallback.Should().BeNull();
             subject.EnabledSslProtocols.Should().Be(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls);

tests/MongoDB.Driver.Tests/SslSettingsTests.cs

@@ -50,7 +50,7 @@ private bool ServerCertificateValidationCallback(
         public void TestCheckCertificateRevocation()
         {
             var settings = new SslSettings();
-            Assert.Equal(true, settings.CheckCertificateRevocation);
+            Assert.Equal(false, settings.CheckCertificateRevocation);
 
             var checkCertificateRevocation = !settings.CheckCertificateRevocation;
             settings.CheckCertificateRevocation = checkCertificateRevocation;
@@ -115,7 +115,7 @@ public void TestClone()
         public void TestDefaults()
         {
             var settings = new SslSettings();
-            Assert.Equal(true, settings.CheckCertificateRevocation);
+            Assert.Equal(false, settings.CheckCertificateRevocation);
             Assert.Equal(null, settings.ClientCertificates);
             Assert.Equal(null, settings.ClientCertificateSelectionCallback);
             Assert.Equal(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, settings.EnabledSslProtocols);