You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: Docs/reference/content/reference/driver/ssl.md
+33Lines changed: 33 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -135,3 +135,36 @@ the connection to continue (i.e. soft-fail).
135
135
136
136
Industry best practices recommend, and some regulations require, the use of TLS 1.1 or newer. No application changes are required
137
137
for the driver to make use of the newest TLS protocols.
138
+
139
+
### Potential TLS Connection Issue with .NET 5 and later on Linux
140
+
141
+
If you try to connect to an Atlas cluster running MongoDB 4.0 (or earlier)
142
+
using a .NET 5 (or later) application on Linux, you may receive an error
143
+
message similar to the following:
144
+
145
+
```text
146
+
Unhandled exception. System.TimeoutException: A timeout occurred after 30000ms selecting a server using CompositeServerSelector{ Selectors = MongoDB.Driver.MongoClient+AreSessionsSupportedServerSelector, LatencyLimitingServerSelector{ AllowedLatencyRange = 00:00:00.0150000 } }. Client view of cluster state is { ClusterId : "1", ConnectionMode : "ReplicaSet", Type : "ReplicaSet", State : "Disconnected", Servers : [{ ServerId: "{ ClusterId : 1, EndPoint : "Unspecified/mongodb40tlstest-shard-00-00.ebdql.mongodb.net:27017" }", EndPoint: "Unspecified/mongodb40tlstest-shard-00-00.ebdql.mongodb.net:27017", ReasonChanged: "Heartbeat", State: "Disconnected", ServerVersion: , TopologyVersion: , Type: "Unknown", HeartbeatException: "MongoDB.Driver.MongoConnectionException: An exception occurred while opening a connection to the server.
147
+
---> System.IO.IOException: Received an unexpected EOF or 0 bytes from the transport stream.
148
+
... stack trace ...
149
+
```
150
+
151
+
The root cause of this problem is a TLS cipher suite mismatch.
152
+
153
+
Atlas clusters running MongoDB 4.0 and earlier only support RSA ciphers.
154
+
Atlas clusters running MongoDB 4.2 and later support both RSA and ECDHE ciphers.
155
+
156
+
On Linux, .NET Core 3.1 and earlier use any cipher suite supported by OpenSSL
157
+
for key exchange including RSA and ECDHE ciphers. Starting in .NET 5,
158
+
Microsoft hardended the default TLS configuration to only allow ECDHE ciphers
159
+
for key exchange. If you explicitly configure OpenSSL to allow the RSA cipher
160
+
for key exchange, .NET 5.0 will respect it, but it will not use it by default.
161
+
You can find out more in [Default TLS cipher suites for .NET on Linux](https://docs.microsoft.com/en-us/dotnet/core/compatibility/cryptography/5.0/default-cipher-suites-for-tls-on-linux).
162
+
163
+
A .NET 5 (or later) application on Linux will only support ECDHE ciphers
164
+
by default, but a MongoDB 4.0 (or earlier) Atlas cluster will only
165
+
support RSA ciphers. The client and server were unable to negotiate a
166
+
common cipher for key exchange, which results in the TLS handshake
167
+
failing and the above EOF error message being returned.
168
+
169
+
To resolve this issue, either connect to a MongoDB 4.2 (or later) Atlas cluster (recommended)
170
+
or configure .NET 5 (or later) to allow RSA ciphers (not recommended).
0 commit comments