CSHARP-3161: Default OCSP to 'off' for drivers that hard-fail when an OCSP responder is unavailable

Author: MikalaiMazurenka

Docs/reference/content/reference/driver/ssl.md

@@ -45,21 +45,21 @@ var settings = new MongoClientSettings
 ### Certificate Revocation Checking
 
 #### Default behavior
-The .NET Driver now **enables** certificate revocation checking by
+The .NET Driver now **disables** certificate revocation checking by
 default, setting [`CheckCertificateRevocation`]({{< apiref
 "P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) in
 [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" >}}) to
-`true` by default. This is in contrast to .NET's defaults for
+`false` by default. This correlates to .NET's defaults for
 `SslStream` (see .NET Framework documentation
 [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-4.7.2#System_Net_Security_SslStream_AuthenticateAsClient_System_String_)
 and .NET Standard documentation
 [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netstandard-2.0#System_Net_Security_SslStream_AuthenticateAsClient_System_String_)).
-Any applications relying on the older default of `false` now must
+Applications relying on the intermediate default of `true` (introduced in beta driver releases 2.11.0-beta1 and 2.11.0-beta2) must
 explicitly set [`CheckCertificateRevocation`]({{< apiref
 "P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) to
-`false` in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings"
->}}) to disable certificate revocation checking. Alternatively,
-applications may also set `tlsDisableCertificateRevocationCheck=true`
+`true` in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings"
+>}}) to enable certificate revocation checking. Alternatively,
+applications may also set `tlsDisableCertificateRevocationCheck=false`
 in their connection string.  See
 [tlsDisableCertificateRevocationCheck](#tlsDisableCertificateRevocationCheck)
 for more information.

src/MongoDB.Driver.Core/Core/Configuration/SslStreamSettings.cs

@@ -50,7 +50,7 @@ public SslStreamSettings(
             Optional<SslProtocols> enabledProtocols = default(Optional<SslProtocols>),
             Optional<RemoteCertificateValidationCallback> serverCertificateValidationCallback = default(Optional<RemoteCertificateValidationCallback>))
         {
-            _checkCertificateRevocation = checkCertificateRevocation.WithDefault(true);
+            _checkCertificateRevocation = checkCertificateRevocation.WithDefault(false);
             _clientCertificates = Ensure.IsNotNull(clientCertificates.WithDefault(Enumerable.Empty<X509Certificate>()), "clientCertificates").ToList();
             _clientCertificateSelectionCallback = clientCertificateSelectionCallback.WithDefault(null);
             _enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls);

src/MongoDB.Driver/MongoUrlBuilder.cs

@@ -67,7 +67,7 @@ public class MongoUrlBuilder
         private IEnumerable<MongoServerAddress> _servers;
         private TimeSpan _serverSelectionTimeout;
         private TimeSpan _socketTimeout;
-        private bool _tlsDisableCertificateRevocationCheck;
+        private bool? _tlsDisableCertificateRevocationCheck;
         private string _username;
         private bool _useTls;
         private WriteConcern.WValue _w;
@@ -551,7 +551,7 @@ public TimeSpan SocketTimeout
         /// </summary>
         public bool TlsDisableCertificateRevocationCheck
         {
-            get => _tlsDisableCertificateRevocationCheck;
+            get => _tlsDisableCertificateRevocationCheck.GetValueOrDefault(true);
             set => _tlsDisableCertificateRevocationCheck = value;
         }
 
@@ -783,8 +783,7 @@ public void Parse(string url)
             });
             _serverSelectionTimeout = connectionString.ServerSelectionTimeout.GetValueOrDefault(MongoDefaults.ServerSelectionTimeout);
             _socketTimeout = connectionString.SocketTimeout.GetValueOrDefault(MongoDefaults.SocketTimeout);
-            _tlsDisableCertificateRevocationCheck =
-                connectionString.TlsDisableCertificateRevocationCheck.GetValueOrDefault(false);
+            _tlsDisableCertificateRevocationCheck = connectionString.TlsDisableCertificateRevocationCheck;
             _username = connectionString.Username;
             _useTls = connectionString.Tls.GetValueOrDefault(false);
             _w = connectionString.W;
@@ -907,9 +906,9 @@ public override string ToString()
                 query.AppendFormat("tlsInsecure=true;");
             }
 
-            if (_tlsDisableCertificateRevocationCheck)
+            if (_tlsDisableCertificateRevocationCheck != null)
             {
-                query.AppendFormat("tlsDisableCertificateRevocationCheck=true;");
+                query.AppendFormat("tlsDisableCertificateRevocationCheck={0};", JsonConvert.ToString(_tlsDisableCertificateRevocationCheck.Value));
             }
 
             if (_compressors?.Any() ?? false)

src/MongoDB.Driver/SslSettings.cs

@@ -34,7 +34,7 @@ public class SslSettings : IEquatable<SslSettings>
         private static readonly IEqualityComparer<X509CertificateCollection> __certificateCollectionEqualityComparer = new X509CertificateCollectionEqualityComparer();
 
         // private fields
-        private bool _checkCertificateRevocation = true;
+        private bool _checkCertificateRevocation = false;
         private X509CertificateCollection _clientCertificateCollection;
         private LocalCertificateSelectionCallback _clientCertificateSelectionCallback;
         private SslProtocols _enabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls;

tests/MongoDB.Driver.Core.Tests/Core/Configuration/SslStreamSettingsTests.cs

@@ -31,7 +31,7 @@ public void constructor_should_initialize_instance()
         {
             var subject = new SslStreamSettings();
 
-            subject.CheckCertificateRevocation.Should().BeTrue();
+            subject.CheckCertificateRevocation.Should().BeFalse();
             subject.ClientCertificates.Should().BeEmpty();
             subject.ClientCertificateSelectionCallback.Should().BeNull();
             subject.EnabledSslProtocols.Should().Be(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls);

tests/MongoDB.Driver.Legacy.Tests/MongoServerSettingsTests.cs

@@ -113,9 +113,36 @@ public void TestClone()
             settings.SdamLogFilename = "unimatrix-zero";
 
             var clone = settings.Clone();
+
             Assert.Equal(settings, clone);
         }
 
+        [Fact]
+        public void TestCloneTlsDisableCertificateRevocationCheck()
+        {
+            var connectionString = "mongodb://somehost/?tlsDisableCertificateRevocationCheck=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+            var settings = MongoServerSettings.FromUrl(url);
+
+            var clone = settings.Clone();
+
+            clone.Should().Be(settings);
+        }
+
+        [Fact]
+        public void TestCloneTlsInsecure()
+        {
+            var connectionString = "mongodb://somehost/?tlsInsecure=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+            var settings = MongoServerSettings.FromUrl(url);
+
+            var clone = settings.Clone();
+
+            clone.Should().Be(settings);
+        }
+
         [Fact]
         public void TestConnectionMode()
         {
@@ -414,6 +441,7 @@ public void TestFromClientSettings()
             clientSettings.SdamLogFilename = "section-31";
 
             var settings = MongoServerSettings.FromClientSettings(clientSettings);
+
             Assert.Equal(url.AllowInsecureTls, settings.AllowInsecureTls);
             Assert.Equal(url.ApplicationName, settings.ApplicationName);
             Assert.Equal(url.ConnectionMode, settings.ConnectionMode);
@@ -450,7 +478,7 @@ public void TestFromClientSettings()
             Assert.True(url.Servers.SequenceEqual(settings.Servers));
             Assert.Equal(url.ServerSelectionTimeout, settings.ServerSelectionTimeout);
             Assert.Equal(url.SocketTimeout, settings.SocketTimeout);
-            settings.SslSettings.Should().BeNull();
+            Assert.Equal(url.TlsDisableCertificateRevocationCheck, !settings.SslSettings.CheckCertificateRevocation);
 #pragma warning disable 618
             Assert.Equal(url.UseSsl, settings.UseSsl);
 #pragma warning restore 618
@@ -472,11 +500,23 @@ public void TestFromClientSettingsTlsDisableCertificateRevocationCheck()
             var builder = new MongoUrlBuilder(connectionString);
             var url = builder.ToMongoUrl();
             var clientSettings = MongoClientSettings.FromUrl(url);
-            clientSettings.SdamLogFilename = "section-31";
 
             var settings = MongoServerSettings.FromClientSettings(clientSettings);
-            settings.SslSettings.Should().Be(
-                new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck });
+
+            settings.SslSettings.Should().Be(new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck });
+        }
+
+        [Fact]
+        public void TestFromClientSettingsTlsInsecure()
+        {
+            var connectionString = "mongodb://lcars/?tlsInsecure=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+            var clientSettings = MongoClientSettings.FromUrl(url);
+
+            var settings = MongoServerSettings.FromClientSettings(clientSettings);
+
+            settings.AllowInsecureTls.Should().BeTrue();
         }
 
         [Fact]
@@ -502,6 +542,7 @@ public void TestFromUrl()
             var url = builder.ToMongoUrl();
 
             var settings = MongoServerSettings.FromUrl(url);
+
             Assert.Equal(url.AllowInsecureTls, settings.AllowInsecureTls);
             Assert.Equal(url.ApplicationName, settings.ApplicationName);
             Assert.Equal(url.ConnectionMode, settings.ConnectionMode);
@@ -535,12 +576,14 @@ public void TestFromUrl()
             Assert.True(url.Servers.SequenceEqual(settings.Servers));
             Assert.Equal(url.ServerSelectionTimeout, settings.ServerSelectionTimeout);
             Assert.Equal(url.SocketTimeout, settings.SocketTimeout);
-            settings.SslSettings.Should().BeNull();
+            Assert.Equal(url.TlsDisableCertificateRevocationCheck, !settings.SslSettings.CheckCertificateRevocation);
 #pragma warning disable 618
             Assert.Equal(url.UseSsl, settings.UseSsl);
-            Assert.Equal(url.VerifySslCertificate, settings.VerifySslCertificate);
 #pragma warning restore 618
             Assert.Equal(url.UseTls, settings.UseTls);
+#pragma warning disable 618
+            Assert.Equal(url.VerifySslCertificate, settings.VerifySslCertificate);
+#pragma warning restore 618
 #pragma warning disable 618
             Assert.Equal(url.ComputedWaitQueueSize, settings.WaitQueueSize);
 #pragma warning restore 618
@@ -556,9 +599,22 @@ public void TestFromUrlTlsDisableCertificateRevocationCheck()
             var url = builder.ToMongoUrl();
 
             var settings = MongoServerSettings.FromUrl(url);
+
             settings.SslSettings.Should().Be(new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck });
         }
 
+        [Fact]
+        public void TestFromUrlTlsInsecure()
+        {
+            var connectionString = "mongodb://unimatrix-zero/?tlsInsecure=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+
+            var settings = MongoServerSettings.FromUrl(url);
+
+            settings.AllowInsecureTls.Should().Be(url.AllowInsecureTls);
+        }
+
         [Fact]
         public void TestFrozenCopy()
         {

tests/MongoDB.Driver.Tests/MongoClientSettingsTests.cs

@@ -85,7 +85,7 @@ public void TestClone()
                 "maxIdleTime=124;maxLifeTime=125;maxPoolSize=126;minPoolSize=127;readConcernLevel=majority;" +
                 "readPreference=secondary;readPreferenceTags=a:1,b:2;readPreferenceTags=c:3,d:4;socketTimeout=129;" +
                 "serverSelectionTimeout=20s;ssl=true;sslVerifyCertificate=false;waitqueuesize=130;waitQueueTimeout=131;" +
-                "w=1;fsync=true;journal=true;w=2;wtimeout=131;gssapiServiceName=other;tlsInsecure=true";
+                "w=1;fsync=true;journal=true;w=2;wtimeout=131;gssapiServiceName=other";
 #pragma warning disable 618
             if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2)
             {
@@ -95,7 +95,6 @@ public void TestClone()
             var builder = new MongoUrlBuilder(connectionString);
             var url = builder.ToMongoUrl();
             var settings = MongoClientSettings.FromUrl(url);
-
             // a few settings can only be made in code
 #pragma warning disable 618
             settings.Credential = MongoCredential.CreateMongoCRCredential("database", "username", "password").WithMechanismProperty("SERVICE_NAME", "other");
@@ -104,9 +103,36 @@ public void TestClone()
             settings.SdamLogFilename = "stdout";
 
             var clone = settings.Clone();
+
             Assert.Equal(settings, clone);
         }
 
+        [Fact]
+        public void TestCloneTlsDisableCertificateRevocationCheck()
+        {
+            var connectionString = "mongodb://somehost/?tlsDisableCertificateRevocationCheck=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+            var settings = MongoClientSettings.FromUrl(url);
+
+            var clone = settings.Clone();
+
+            clone.Should().Be(settings);
+        }
+
+        [Fact]
+        public void TestCloneTlsInsecure()
+        {
+            var connectionString = "mongodb://somehost/?tlsInsecure=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+            var settings = MongoClientSettings.FromUrl(url);
+
+            var clone = settings.Clone();
+
+            clone.Should().Be(settings);
+        }
+
         [Fact]
         public void TestCompressors()
         {
@@ -398,12 +424,14 @@ public void TestFreezeInvalid()
         public void TestFromUrl()
         {
             // set everything to non default values to test that all settings are converted
+            // with the exception of tlsDisableCertificateRevocationCheck because setting that with tlsInsecure is
+            // not allowed in a connection string
             var connectionString =
                 "mongodb://user1:password1@somehost/?appname=app1;authSource=db;authMechanismProperties=CANONICALIZE_HOST_NAME:true;" +
                 "compressors=zlib,snappy;zlibCompressionLevel=9;connect=direct;connectTimeout=123;ipv6=true;heartbeatInterval=1m;heartbeatTimeout=2m;localThreshold=128;" +
                 "maxIdleTime=124;maxLifeTime=125;maxPoolSize=126;minPoolSize=127;readConcernLevel=majority;" +
                 "readPreference=secondary;readPreferenceTags=a:1,b:2;readPreferenceTags=c:3,d:4;retryReads=false;retryWrites=true;socketTimeout=129;" +
-                "serverSelectionTimeout=20s;tls=true;tlsInsecure=true;waitqueuesize=130;waitQueueTimeout=131;" +
+                "serverSelectionTimeout=20s;tls=true;sslVerifyCertificate=false;waitqueuesize=130;waitQueueTimeout=131;" +
                 "w=1;fsync=true;journal=true;w=2;wtimeout=131;gssapiServiceName=other";
 #pragma warning disable 618
             if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2)
@@ -415,6 +443,7 @@ public void TestFromUrl()
             var url = builder.ToMongoUrl();
 
             var settings = MongoClientSettings.FromUrl(url);
+
             Assert.Equal(url.AllowInsecureTls, settings.AllowInsecureTls);
             Assert.Equal(url.ApplicationName, settings.ApplicationName);
             Assert.Equal(url.Compressors, settings.Compressors);
@@ -453,21 +482,44 @@ public void TestFromUrl()
             Assert.Equal(url.ServerSelectionTimeout, settings.ServerSelectionTimeout);
             Assert.Equal(url.SocketTimeout, settings.SocketTimeout);
 #pragma warning disable 618
-            settings.SslSettings.Should().BeNull();
+            Assert.Equal(url.TlsDisableCertificateRevocationCheck, !settings.SslSettings.CheckCertificateRevocation);
             Assert.Equal(url.UseSsl, settings.UseSsl);
 #pragma warning restore 618
             Assert.Equal(url.UseTls, settings.UseTls);
 #pragma warning disable 618
             Assert.Equal(url.VerifySslCertificate, settings.VerifySslCertificate);
 #pragma warning restore 618
-
 #pragma warning disable 618
             Assert.Equal(url.ComputedWaitQueueSize, settings.WaitQueueSize);
 #pragma warning restore 618
             Assert.Equal(url.WaitQueueTimeout, settings.WaitQueueTimeout);
             Assert.Equal(url.GetWriteConcern(true), settings.WriteConcern);
         }
 
+        [Fact]
+        public void TestFromUrlTlsDisableCertificateRevocationCheck()
+        {
+            var connectionString = "mongodb://the-next-generation/?tlsDisableCertificateRevocationCheck=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+
+            var settings = MongoClientSettings.FromUrl(url);
+
+            settings.SslSettings.Should().Be(new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck });
+        }
+
+        [Fact]
+        public void TestFromUrlTlsInsecure()
+        {
+            var connectionString = "mongodb://the-next-generation/?tlsInsecure=true";
+            var builder = new MongoUrlBuilder(connectionString);
+            var url = builder.ToMongoUrl();
+
+            var settings = MongoClientSettings.FromUrl(url);
+
+            settings.AllowInsecureTls.Should().Be(url.AllowInsecureTls);
+        }
+
         [Fact]
         public void TestFromUrlWithMongoDBX509()
         {

tests/MongoDB.Driver.Tests/MongoUrlTests.cs

@@ -245,7 +245,7 @@ public void TestAll()
                 Assert.Equal(new MongoServerAddress("host", 27017), url.Server);
                 Assert.Equal(TimeSpan.FromSeconds(10), url.ServerSelectionTimeout);
                 Assert.Equal(TimeSpan.FromSeconds(7), url.SocketTimeout);
-                url.TlsDisableCertificateRevocationCheck.Should().Be(false);
+                Assert.Equal(true, url.TlsDisableCertificateRevocationCheck);
                 Assert.Equal("username", url.Username);
 #pragma warning disable 618
                 Assert.Equal(true, url.UseSsl);

tests/MongoDB.Driver.Tests/SslSettingsTests.cs

@@ -20,7 +20,6 @@
 using System.Reflection;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
-using MongoDB.Driver;
 using Xunit;
 using FluentAssertions;
 
@@ -51,7 +50,7 @@ private bool ServerCertificateValidationCallback(
         public void TestCheckCertificateRevocation()
         {
             var settings = new SslSettings();
-            settings.CheckCertificateRevocation.Should().BeTrue();
+            settings.CheckCertificateRevocation.Should().BeFalse();
 
             var checkCertificateRevocation = !settings.CheckCertificateRevocation;
             settings.CheckCertificateRevocation = checkCertificateRevocation;
@@ -116,7 +115,7 @@ public void TestClone()
         public void TestDefaults()
         {
             var settings = new SslSettings();
-            settings.CheckCertificateRevocation.Should().BeTrue();
+            settings.CheckCertificateRevocation.Should().BeFalse();
             Assert.Equal(null, settings.ClientCertificates);
             Assert.Equal(null, settings.ClientCertificateSelectionCallback);
             Assert.Equal(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, settings.EnabledSslProtocols);