-
Type: Improvement
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Configuration, Security
-
None
-
(copied to CRM)
The C# Driver currently enables certificate revocation checking by default (https://github.com/mongodb/mongo-csharp-driver/blob/ec74978f7e827515f29cc96fba0c727828e8df7c/src/MongoDB.Driver.Core/Core/Configuration/SslStreamSettings.cs#L53), in contrast to the shell and the Python driver. This is also in contrast to .NET's defaults for SslStream (see https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-4.7.2#System_Net_Security_SslStream_AuthenticateAsClient_System_String_ and https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netstandard-2.0#System_Net_Security_SslStream_AuthenticateAsClient_System_String_
We should consider changing this default. However, clearly, there are potential security concerns for users relying on the default setting.
- related to
-
CSHARP-2278 Update SSL Documentation regarding default certificate revocation checking behavior
- Closed