mongodb
diff --git a/‎Docs/reference/content/reference/driver/ssl.md
Lines changed: 60 additions & 8 deletions b/‎Docs/reference/content/reference/driver/ssl.md
Lines changed: 60 additions & 8 deletions
diff --git a/‎Docs/reference/content/upgrading.md
Lines changed: 12 additions & 1 deletion b/‎Docs/reference/content/upgrading.md
Lines changed: 12 additions & 1 deletion
diff --git a/‎build.cake
Lines changed: 27 additions & 7 deletions b/‎build.cake
Lines changed: 27 additions & 7 deletions
diff --git a/‎evergreen/add-certs.sh
Lines changed: 7 additions & 0 deletions b/‎evergreen/add-certs.sh
Lines changed: 7 additions & 0 deletions
@@ -43,14 +43,66 @@ var settings = new MongoClientSettings
 {{% note class="important" %}}It is imperative that when loading a certificate with a password, the [PrivateKey]({{< msdnref "system.security.cryptography.x509certificates.x509certificate2.privatekey" >}}) property not be null. If the property is null, it means that your certificate does not contain the private key and will not be passed to the server.{{% /note %}}
 
 ### Certificate Revocation Checking
-The .NET Driver now **disables** certificate revocation checking by default, setting [`CheckCertificateRevocation`]({{< apiref "P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" >}}) to `false` by default. Any applications relying on the older default of `true` now must explicitly set [`CheckCertificateRevocation`]({{< apiref "P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) to `true` in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" >}}) to re-enable certificate revocation checking.
 
-Prior to v2.7.0, the driver enabled certificate revocation checking by default, in contrast to the `mongo` shell and other MongoDB drivers. This was also in contrast to .NET's defaults for `SslStream` (see .NET Framework documentation [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-4.7.2#System_Net_Security_SslStream_AuthenticateAsClient_System_String_) and .NET Standard documentation [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netstandard-2.0#System_Net_Security_SslStream_AuthenticateAsClient_System_String_)).
+#### Default behavior
+The .NET Driver now **enables** certificate revocation checking by
+default, setting [`CheckCertificateRevocation`]({{< apiref
+"P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) in
+[`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" >}}) to
+`true` by default. This is in contrast to .NET's defaults for
+`SslStream` (see .NET Framework documentation
+[here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-4.7.2#System_Net_Security_SslStream_AuthenticateAsClient_System_String_)
+and .NET Standard documentation
+[here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netstandard-2.0#System_Net_Security_SslStream_AuthenticateAsClient_System_String_)).
+Any applications relying on the older default of `false` now must
+explicitly set [`CheckCertificateRevocation`]({{< apiref
+"P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) to
+`false` in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings"
+>}}) to disable certificate revocation checking. Alternatively,
+applications may also set `tlsDisableCertificateRevocationCheck=true`
+in their connection string.  See
+[tlsDisableCertificateRevocationCheck](#tlsDisableCertificateRevocationCheck)
+for more information.
+
+Prior to v2.7.0, the driver also enabled certificate revocation checking by
+default.
+
+#### tlsDisableCertificateRevocationCheck
+The URI option, `tlsDisableCertificateRevocationCheck` controls
+whether or not to disable certificate revocation checking during a TLS
+handshake. Setting `tlsDisableCertificateRevocationCheck=true` is
+equivalent to setting [`CheckCertificateRevocation`]({{< apiref
+"P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) in
+[`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" >}}) to
+`false`.
+
+### OCSP
+
+#### Stapling
+Due to limitations in .NET, the driver currently only supports OCSP
+(Online Certificate Status Protocol) stapling on .NET Core ≥2.x on
+macOS.
+
+On Windows, when a server has a Must-Staple certificate and does not
+staple, by default, the driver will continue to connect as long as the
+OCSP responder is still available and reports that the server's
+certificate is valid. This behavior differs from the mongo shell and
+from the MongoDB Python and Go drivers, which will fail to connect in
+when a server has a Must-Staple certificate and does not staple.
+
+#### Hard-fail vs. soft-fail
+On Windows, due .NET's implementation of TLS, the driver utilizes
+"hard-fail" behavior in contrast to the "soft-fail" behavior exhibited
+by the mongo shell and MongoDB drivers such as Python and Go. This
+means that in the case that an OCSP responder is unavailable, the
+driver will fail to connect (i.e. hard-fail) instead of allowing the
+connection to continue (i.e. soft-fail).
+
 
 ## TLS support
 ### Overview
 
-| OS      | .NET Version          | TLS1.1 | TLS1.2 | SNI | CRLs without OCSP |
+| OS | .NET Version | TLS1.1 | TLS1.2 | SNI | CRLs without OCSP |
 |---------|-----------------------|--------|--------|-----|-------------------|
 | Windows |                       |        |        |     |                   |
 |         | .NET Framework 4.5    | Yes    | Yes    | Yes | Yes               |
@@ -65,7 +117,7 @@ Prior to v2.7.0, the driver enabled certificate revocation checking by default,
 |         | .NET Core 1.1         | Yes    | Yes    | No  | Yes               |
 |         | .NET Core 2.0         | Yes    | Yes    | No  | Yes               |
 |         | .NET Core 2.1         | Yes    | Yes    | Yes | Yes               |
-| OSX     |                       |        |        |     |                   |
+| macOS   |                       |        |        |     |                   |
 |         | .NET Core 1.0         | Yes    | Yes    | No  | Yes               |
 |         | .NET Core 1.1         | Yes    | Yes    | No  | Yes               |
 |         | .NET Core 2.0         | Yes    | Yes    | Yes | No                |
@@ -74,10 +126,10 @@ Prior to v2.7.0, the driver enabled certificate revocation checking by default,
 
 #### Notes
  - SNI (Server Name Indication) is required for Atlas free tier.
- - .NET Core on OSX will fail to connect if **both** of the following conditions are met: (1) [certificate revocation checking]({{<relref "reference\driver\ssl.md#certificate-revocation-checking" >}}) is enabled, and (2) a server's certificate includes Certificate Revocation List (CRL) Distribution Points but does not include an Online Certificate Status Protocol (OCSP) extension.
- 
-  - This is due to a limitation of the Apple Security Framework (see https://github.com/dotnet/corefx/issues/29064). Prior to version 2.0, .NET Core on OSX used OpenSSL, which does support CRLs without OCSP. 
-  - Connecting to Atlas on OSX with certificate revocation checking enabled will succeed since Atlas certificates include CRL Distribution Points as well as an OCSP extension.
+ - .NET Core on macOS will fail to connect if **both** of the following conditions are met: (1) [certificate revocation checking]({{<relref "reference\driver\ssl.md#certificate-revocation-checking" >}}) is enabled, and (2) a server's certificate includes Certificate Revocation List (CRL) Distribution Points but does not include an Online Certificate Status Protocol (OCSP) extension.
+
+  - This is due to a limitation of the Apple Security Framework (see https://github.com/dotnet/corefx/issues/29064). Prior to version 2.0, .NET Core on macOS used OpenSSL, which does support CRLs without OCSP.
+  - Connecting to Atlas on macOS with certificate revocation checking enabled will succeed since Atlas certificates include CRL Distribution Points as well as an OCSP extension.
 
 
 ### Support for TLS v1.1 and newer
 
@@ -11,4 +11,15 @@ title = "Upgrading"
 
 ## Breaking Changes
 
-There should be no breaking changes in version 2.10.0 of the driver.
+# Backwards compatibility with driver version 2.7.0–2.10.x
+An application that is unable to contact the OCSP endpoints and/or CRL
+distribution points specified in a server's certificate may experience
+connectivity issues (e.g. if the application is behind a firewall with
+an outbound whitelist). This is because the driver needs to contact
+the OCSP endpoints and/or CRL distribution points specified in the
+server’s certificate and if these OCSP endpoints and/or CRL
+distribution points are not accessible, then the connection to the
+server may fail. In such a scenario, connectivity may be able to be
+restored by disabling certificate revocation checking by adding
+`tlsDisableCertificateRevocationCheck=true` to the application's connection
+string.
@@ -44,10 +44,10 @@ Task("Release")
     .IsDependentOn("Build")
     .IsDependentOn("Test")
     .IsDependentOn("Docs")
-    .IsDependentOn("Package");    
-   
+    .IsDependentOn("Package");
+
 Task("Restore")
-    .Does(() => 
+    .Does(() =>
     {
         DotNetCoreRestore(solutionFullPath);
     });
@@ -113,7 +113,7 @@ Task("Test")
     .DoesForEach(
         GetFiles("./**/*.Tests.csproj")
         .Where(name => !name.ToString().Contains("Atlas")),
-        testProject => 
+        testProject =>
     {
         var testWithDefaultGuidRepresentationMode = Environment.GetEnvironmentVariable("TEST_WITH_DEFAULT_GUID_REPRESENTATION_MODE");
         if (testWithDefaultGuidRepresentationMode != null)
@@ -144,7 +144,7 @@ Task("TestAllGuidRepresentations")
         GetFiles("./**/*.Tests.csproj")
         // .Where(name => name.ToString().Contains("Bson.Tests")) // uncomment to only test Bson
         .Where(name => !name.ToString().Contains("Atlas")),
-        testProject => 
+        testProject =>
     {
         var modes = new string[][]
         {
@@ -179,12 +179,12 @@ Task("TestAllGuidRepresentations")
             );
         }
     });
-    
+
 Task("TestAtlasConnectivity")
     .IsDependentOn("Build")
     .DoesForEach(
         GetFiles("./**/AtlasConnectivity.Tests.csproj"),
-        testProject => 
+        testProject =>
 {
     DotNetCoreTest(
         testProject.FullPath,
@@ -197,6 +197,26 @@ Task("TestAtlasConnectivity")
     );
 });
 
+Task("TestOcsp")
+    .IsDependentOn("Build")
+    .DoesForEach(
+        GetFiles("./**/MongoDB.Driver.Tests.csproj"),
+        testProject =>
+{
+    DotNetCoreTest(
+        testProject.FullPath,
+        new DotNetCoreTestSettings {
+            NoBuild = true,
+            NoRestore = true,
+            Configuration = configuration,
+
+            ArgumentCustomization = args => args
+                .Append("--filter FullyQualifiedName~OcspIntegrationTests")
+                .Append("-- RunConfiguration.TargetPlatform=x64")
+        }
+    );
+});
+
 Task("Docs")
     .IsDependentOn("ApiDocs")
     .IsDependentOn("RefDocs");
 
@@ -3,6 +3,13 @@
 set -o xtrace   # Write all commands first to stderr
 set -o errexit  # Exit the script with an error if any of the commands fail
 
+OCSP_TLS_SHOULD_SUCCEED=${OCSP_TLS_SHOULD_SUCCEED:-nil}
+OCSP_ALGORITHM=${OCSP_ALGORITHM:-nil}
+
 if [[ "$OS" =~ Windows|windows ]]; then
     certutil.exe -addstore "Root" ${DRIVERS_TOOLS}/.evergreen/x509gen/ca.pem
+
+  if [ "$OCSP_TLS_SHOULD_SUCCEED" != "nil" ] && [ "$OCSP_ALGORITHM" != "nil" ]; then
+    certutil.exe -addstore "Root" ${DRIVERS_TOOLS}/.evergreen/ocsp/${OCSP_ALGORITHM}/ca.pem
+  fi
 fi