From 9ac03cfd773d5b3b0c1f76fd4272701957644153 Mon Sep 17 00:00:00 2001 From: Mikalai Mazurenka Date: Mon, 27 Jul 2020 17:04:31 +0300 Subject: [PATCH] CSHARP-3161: Default OCSP to 'off' for drivers that hard-fail when an OCSP responder is unavailable --- .../reference/content/reference/driver/ssl.md | 12 ++-- .../Core/Configuration/SslStreamSettings.cs | 2 +- src/MongoDB.Driver/MongoUrlBuilder.cs | 11 ++- src/MongoDB.Driver/SslSettings.cs | 2 +- .../Configuration/SslStreamSettingsTests.cs | 2 +- .../MongoServerSettingsTests.cs | 68 +++++++++++++++++-- .../MongoClientSettingsTests.cs | 62 +++++++++++++++-- tests/MongoDB.Driver.Tests/MongoUrlTests.cs | 2 +- .../MongoDB.Driver.Tests/SslSettingsTests.cs | 5 +- 9 files changed, 136 insertions(+), 30 deletions(-) diff --git a/Docs/reference/content/reference/driver/ssl.md b/Docs/reference/content/reference/driver/ssl.md index f11000f69ec..bf0f4021972 100644 --- a/Docs/reference/content/reference/driver/ssl.md +++ b/Docs/reference/content/reference/driver/ssl.md @@ -45,21 +45,21 @@ var settings = new MongoClientSettings ### Certificate Revocation Checking #### Default behavior -The .NET Driver now **enables** certificate revocation checking by +The .NET Driver now **disables** certificate revocation checking by default, setting [`CheckCertificateRevocation`]({{< apiref "P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" >}}) to -`true` by default. This is in contrast to .NET's defaults for +`false` by default. This correlates to .NET's defaults for `SslStream` (see .NET Framework documentation [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netframework-4.7.2#System_Net_Security_SslStream_AuthenticateAsClient_System_String_) and .NET Standard documentation [here](https://docs.microsoft.com/en-us/dotnet/api/system.net.security.sslstream.authenticateasclient?view=netstandard-2.0#System_Net_Security_SslStream_AuthenticateAsClient_System_String_)). -Any applications relying on the older default of `false` now must +Applications relying on the intermediate default of `true` (introduced in beta driver releases 2.11.0-beta1 and 2.11.0-beta2) must explicitly set [`CheckCertificateRevocation`]({{< apiref "P_MongoDB_Driver_SslSettings_CheckCertificateRevocation">}}) to -`false` in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" ->}}) to disable certificate revocation checking. Alternatively, -applications may also set `tlsDisableCertificateRevocationCheck=true` +`true` in [`SslSettings`]({{< apiref "T_MongoDB_Driver_SslSettings" +>}}) to enable certificate revocation checking. Alternatively, +applications may also set `tlsDisableCertificateRevocationCheck=false` in their connection string. See [tlsDisableCertificateRevocationCheck](#tlsDisableCertificateRevocationCheck) for more information. diff --git a/src/MongoDB.Driver.Core/Core/Configuration/SslStreamSettings.cs b/src/MongoDB.Driver.Core/Core/Configuration/SslStreamSettings.cs index a40e6aa1491..7ebb727b4ed 100644 --- a/src/MongoDB.Driver.Core/Core/Configuration/SslStreamSettings.cs +++ b/src/MongoDB.Driver.Core/Core/Configuration/SslStreamSettings.cs @@ -50,7 +50,7 @@ public SslStreamSettings( Optional enabledProtocols = default(Optional), Optional serverCertificateValidationCallback = default(Optional)) { - _checkCertificateRevocation = checkCertificateRevocation.WithDefault(true); + _checkCertificateRevocation = checkCertificateRevocation.WithDefault(false); _clientCertificates = Ensure.IsNotNull(clientCertificates.WithDefault(Enumerable.Empty()), "clientCertificates").ToList(); _clientCertificateSelectionCallback = clientCertificateSelectionCallback.WithDefault(null); _enabledSslProtocols = enabledProtocols.WithDefault(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls); diff --git a/src/MongoDB.Driver/MongoUrlBuilder.cs b/src/MongoDB.Driver/MongoUrlBuilder.cs index db96d050227..24b8f359f87 100644 --- a/src/MongoDB.Driver/MongoUrlBuilder.cs +++ b/src/MongoDB.Driver/MongoUrlBuilder.cs @@ -67,7 +67,7 @@ public class MongoUrlBuilder private IEnumerable _servers; private TimeSpan _serverSelectionTimeout; private TimeSpan _socketTimeout; - private bool _tlsDisableCertificateRevocationCheck; + private bool? _tlsDisableCertificateRevocationCheck; private string _username; private bool _useTls; private WriteConcern.WValue _w; @@ -551,7 +551,7 @@ public TimeSpan SocketTimeout /// public bool TlsDisableCertificateRevocationCheck { - get => _tlsDisableCertificateRevocationCheck; + get => _tlsDisableCertificateRevocationCheck.GetValueOrDefault(true); set => _tlsDisableCertificateRevocationCheck = value; } @@ -783,8 +783,7 @@ public void Parse(string url) }); _serverSelectionTimeout = connectionString.ServerSelectionTimeout.GetValueOrDefault(MongoDefaults.ServerSelectionTimeout); _socketTimeout = connectionString.SocketTimeout.GetValueOrDefault(MongoDefaults.SocketTimeout); - _tlsDisableCertificateRevocationCheck = - connectionString.TlsDisableCertificateRevocationCheck.GetValueOrDefault(false); + _tlsDisableCertificateRevocationCheck = connectionString.TlsDisableCertificateRevocationCheck; _username = connectionString.Username; _useTls = connectionString.Tls.GetValueOrDefault(false); _w = connectionString.W; @@ -907,9 +906,9 @@ public override string ToString() query.AppendFormat("tlsInsecure=true;"); } - if (_tlsDisableCertificateRevocationCheck) + if (_tlsDisableCertificateRevocationCheck != null) { - query.AppendFormat("tlsDisableCertificateRevocationCheck=true;"); + query.AppendFormat("tlsDisableCertificateRevocationCheck={0};", JsonConvert.ToString(_tlsDisableCertificateRevocationCheck.Value)); } if (_compressors?.Any() ?? false) diff --git a/src/MongoDB.Driver/SslSettings.cs b/src/MongoDB.Driver/SslSettings.cs index 1e5a6b009db..2150f53e050 100644 --- a/src/MongoDB.Driver/SslSettings.cs +++ b/src/MongoDB.Driver/SslSettings.cs @@ -34,7 +34,7 @@ public class SslSettings : IEquatable private static readonly IEqualityComparer __certificateCollectionEqualityComparer = new X509CertificateCollectionEqualityComparer(); // private fields - private bool _checkCertificateRevocation = true; + private bool _checkCertificateRevocation = false; private X509CertificateCollection _clientCertificateCollection; private LocalCertificateSelectionCallback _clientCertificateSelectionCallback; private SslProtocols _enabledSslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls; diff --git a/tests/MongoDB.Driver.Core.Tests/Core/Configuration/SslStreamSettingsTests.cs b/tests/MongoDB.Driver.Core.Tests/Core/Configuration/SslStreamSettingsTests.cs index 88c717501f9..dcc5a9d7e22 100644 --- a/tests/MongoDB.Driver.Core.Tests/Core/Configuration/SslStreamSettingsTests.cs +++ b/tests/MongoDB.Driver.Core.Tests/Core/Configuration/SslStreamSettingsTests.cs @@ -31,7 +31,7 @@ public void constructor_should_initialize_instance() { var subject = new SslStreamSettings(); - subject.CheckCertificateRevocation.Should().BeTrue(); + subject.CheckCertificateRevocation.Should().BeFalse(); subject.ClientCertificates.Should().BeEmpty(); subject.ClientCertificateSelectionCallback.Should().BeNull(); subject.EnabledSslProtocols.Should().Be(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls); diff --git a/tests/MongoDB.Driver.Legacy.Tests/MongoServerSettingsTests.cs b/tests/MongoDB.Driver.Legacy.Tests/MongoServerSettingsTests.cs index d23a792e906..6a9ea974937 100644 --- a/tests/MongoDB.Driver.Legacy.Tests/MongoServerSettingsTests.cs +++ b/tests/MongoDB.Driver.Legacy.Tests/MongoServerSettingsTests.cs @@ -113,9 +113,36 @@ public void TestClone() settings.SdamLogFilename = "unimatrix-zero"; var clone = settings.Clone(); + Assert.Equal(settings, clone); } + [Fact] + public void TestCloneTlsDisableCertificateRevocationCheck() + { + var connectionString = "mongodb://somehost/?tlsDisableCertificateRevocationCheck=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + var settings = MongoServerSettings.FromUrl(url); + + var clone = settings.Clone(); + + clone.Should().Be(settings); + } + + [Fact] + public void TestCloneTlsInsecure() + { + var connectionString = "mongodb://somehost/?tlsInsecure=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + var settings = MongoServerSettings.FromUrl(url); + + var clone = settings.Clone(); + + clone.Should().Be(settings); + } + [Fact] public void TestConnectionMode() { @@ -414,6 +441,7 @@ public void TestFromClientSettings() clientSettings.SdamLogFilename = "section-31"; var settings = MongoServerSettings.FromClientSettings(clientSettings); + Assert.Equal(url.AllowInsecureTls, settings.AllowInsecureTls); Assert.Equal(url.ApplicationName, settings.ApplicationName); Assert.Equal(url.ConnectionMode, settings.ConnectionMode); @@ -450,7 +478,7 @@ public void TestFromClientSettings() Assert.True(url.Servers.SequenceEqual(settings.Servers)); Assert.Equal(url.ServerSelectionTimeout, settings.ServerSelectionTimeout); Assert.Equal(url.SocketTimeout, settings.SocketTimeout); - settings.SslSettings.Should().BeNull(); + Assert.Equal(url.TlsDisableCertificateRevocationCheck, !settings.SslSettings.CheckCertificateRevocation); #pragma warning disable 618 Assert.Equal(url.UseSsl, settings.UseSsl); #pragma warning restore 618 @@ -472,11 +500,23 @@ public void TestFromClientSettingsTlsDisableCertificateRevocationCheck() var builder = new MongoUrlBuilder(connectionString); var url = builder.ToMongoUrl(); var clientSettings = MongoClientSettings.FromUrl(url); - clientSettings.SdamLogFilename = "section-31"; var settings = MongoServerSettings.FromClientSettings(clientSettings); - settings.SslSettings.Should().Be( - new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck }); + + settings.SslSettings.Should().Be(new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck }); + } + + [Fact] + public void TestFromClientSettingsTlsInsecure() + { + var connectionString = "mongodb://lcars/?tlsInsecure=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + var clientSettings = MongoClientSettings.FromUrl(url); + + var settings = MongoServerSettings.FromClientSettings(clientSettings); + + settings.AllowInsecureTls.Should().BeTrue(); } [Fact] @@ -502,6 +542,7 @@ public void TestFromUrl() var url = builder.ToMongoUrl(); var settings = MongoServerSettings.FromUrl(url); + Assert.Equal(url.AllowInsecureTls, settings.AllowInsecureTls); Assert.Equal(url.ApplicationName, settings.ApplicationName); Assert.Equal(url.ConnectionMode, settings.ConnectionMode); @@ -535,12 +576,14 @@ public void TestFromUrl() Assert.True(url.Servers.SequenceEqual(settings.Servers)); Assert.Equal(url.ServerSelectionTimeout, settings.ServerSelectionTimeout); Assert.Equal(url.SocketTimeout, settings.SocketTimeout); - settings.SslSettings.Should().BeNull(); + Assert.Equal(url.TlsDisableCertificateRevocationCheck, !settings.SslSettings.CheckCertificateRevocation); #pragma warning disable 618 Assert.Equal(url.UseSsl, settings.UseSsl); - Assert.Equal(url.VerifySslCertificate, settings.VerifySslCertificate); #pragma warning restore 618 Assert.Equal(url.UseTls, settings.UseTls); +#pragma warning disable 618 + Assert.Equal(url.VerifySslCertificate, settings.VerifySslCertificate); +#pragma warning restore 618 #pragma warning disable 618 Assert.Equal(url.ComputedWaitQueueSize, settings.WaitQueueSize); #pragma warning restore 618 @@ -556,9 +599,22 @@ public void TestFromUrlTlsDisableCertificateRevocationCheck() var url = builder.ToMongoUrl(); var settings = MongoServerSettings.FromUrl(url); + settings.SslSettings.Should().Be(new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck }); } + [Fact] + public void TestFromUrlTlsInsecure() + { + var connectionString = "mongodb://unimatrix-zero/?tlsInsecure=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + + var settings = MongoServerSettings.FromUrl(url); + + settings.AllowInsecureTls.Should().Be(url.AllowInsecureTls); + } + [Fact] public void TestFrozenCopy() { diff --git a/tests/MongoDB.Driver.Tests/MongoClientSettingsTests.cs b/tests/MongoDB.Driver.Tests/MongoClientSettingsTests.cs index aeb21e36910..43e2afb08e6 100644 --- a/tests/MongoDB.Driver.Tests/MongoClientSettingsTests.cs +++ b/tests/MongoDB.Driver.Tests/MongoClientSettingsTests.cs @@ -85,7 +85,7 @@ public void TestClone() "maxIdleTime=124;maxLifeTime=125;maxPoolSize=126;minPoolSize=127;readConcernLevel=majority;" + "readPreference=secondary;readPreferenceTags=a:1,b:2;readPreferenceTags=c:3,d:4;socketTimeout=129;" + "serverSelectionTimeout=20s;ssl=true;sslVerifyCertificate=false;waitqueuesize=130;waitQueueTimeout=131;" + - "w=1;fsync=true;journal=true;w=2;wtimeout=131;gssapiServiceName=other;tlsInsecure=true"; + "w=1;fsync=true;journal=true;w=2;wtimeout=131;gssapiServiceName=other"; #pragma warning disable 618 if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2) { @@ -95,7 +95,6 @@ public void TestClone() var builder = new MongoUrlBuilder(connectionString); var url = builder.ToMongoUrl(); var settings = MongoClientSettings.FromUrl(url); - // a few settings can only be made in code #pragma warning disable 618 settings.Credential = MongoCredential.CreateMongoCRCredential("database", "username", "password").WithMechanismProperty("SERVICE_NAME", "other"); @@ -104,9 +103,36 @@ public void TestClone() settings.SdamLogFilename = "stdout"; var clone = settings.Clone(); + Assert.Equal(settings, clone); } + [Fact] + public void TestCloneTlsDisableCertificateRevocationCheck() + { + var connectionString = "mongodb://somehost/?tlsDisableCertificateRevocationCheck=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + var settings = MongoClientSettings.FromUrl(url); + + var clone = settings.Clone(); + + clone.Should().Be(settings); + } + + [Fact] + public void TestCloneTlsInsecure() + { + var connectionString = "mongodb://somehost/?tlsInsecure=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + var settings = MongoClientSettings.FromUrl(url); + + var clone = settings.Clone(); + + clone.Should().Be(settings); + } + [Fact] public void TestCompressors() { @@ -398,12 +424,14 @@ public void TestFreezeInvalid() public void TestFromUrl() { // set everything to non default values to test that all settings are converted + // with the exception of tlsDisableCertificateRevocationCheck because setting that with tlsInsecure is + // not allowed in a connection string var connectionString = "mongodb://user1:password1@somehost/?appname=app1;authSource=db;authMechanismProperties=CANONICALIZE_HOST_NAME:true;" + "compressors=zlib,snappy;zlibCompressionLevel=9;connect=direct;connectTimeout=123;ipv6=true;heartbeatInterval=1m;heartbeatTimeout=2m;localThreshold=128;" + "maxIdleTime=124;maxLifeTime=125;maxPoolSize=126;minPoolSize=127;readConcernLevel=majority;" + "readPreference=secondary;readPreferenceTags=a:1,b:2;readPreferenceTags=c:3,d:4;retryReads=false;retryWrites=true;socketTimeout=129;" + - "serverSelectionTimeout=20s;tls=true;tlsInsecure=true;waitqueuesize=130;waitQueueTimeout=131;" + + "serverSelectionTimeout=20s;tls=true;sslVerifyCertificate=false;waitqueuesize=130;waitQueueTimeout=131;" + "w=1;fsync=true;journal=true;w=2;wtimeout=131;gssapiServiceName=other"; #pragma warning disable 618 if (BsonDefaults.GuidRepresentationMode == GuidRepresentationMode.V2) @@ -415,6 +443,7 @@ public void TestFromUrl() var url = builder.ToMongoUrl(); var settings = MongoClientSettings.FromUrl(url); + Assert.Equal(url.AllowInsecureTls, settings.AllowInsecureTls); Assert.Equal(url.ApplicationName, settings.ApplicationName); Assert.Equal(url.Compressors, settings.Compressors); @@ -453,14 +482,13 @@ public void TestFromUrl() Assert.Equal(url.ServerSelectionTimeout, settings.ServerSelectionTimeout); Assert.Equal(url.SocketTimeout, settings.SocketTimeout); #pragma warning disable 618 - settings.SslSettings.Should().BeNull(); + Assert.Equal(url.TlsDisableCertificateRevocationCheck, !settings.SslSettings.CheckCertificateRevocation); Assert.Equal(url.UseSsl, settings.UseSsl); #pragma warning restore 618 Assert.Equal(url.UseTls, settings.UseTls); #pragma warning disable 618 Assert.Equal(url.VerifySslCertificate, settings.VerifySslCertificate); #pragma warning restore 618 - #pragma warning disable 618 Assert.Equal(url.ComputedWaitQueueSize, settings.WaitQueueSize); #pragma warning restore 618 @@ -468,6 +496,30 @@ public void TestFromUrl() Assert.Equal(url.GetWriteConcern(true), settings.WriteConcern); } + [Fact] + public void TestFromUrlTlsDisableCertificateRevocationCheck() + { + var connectionString = "mongodb://the-next-generation/?tlsDisableCertificateRevocationCheck=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + + var settings = MongoClientSettings.FromUrl(url); + + settings.SslSettings.Should().Be(new SslSettings { CheckCertificateRevocation = !url.TlsDisableCertificateRevocationCheck }); + } + + [Fact] + public void TestFromUrlTlsInsecure() + { + var connectionString = "mongodb://the-next-generation/?tlsInsecure=true"; + var builder = new MongoUrlBuilder(connectionString); + var url = builder.ToMongoUrl(); + + var settings = MongoClientSettings.FromUrl(url); + + settings.AllowInsecureTls.Should().Be(url.AllowInsecureTls); + } + [Fact] public void TestFromUrlWithMongoDBX509() { diff --git a/tests/MongoDB.Driver.Tests/MongoUrlTests.cs b/tests/MongoDB.Driver.Tests/MongoUrlTests.cs index 8a47747299d..bfd234625e3 100644 --- a/tests/MongoDB.Driver.Tests/MongoUrlTests.cs +++ b/tests/MongoDB.Driver.Tests/MongoUrlTests.cs @@ -245,7 +245,7 @@ public void TestAll() Assert.Equal(new MongoServerAddress("host", 27017), url.Server); Assert.Equal(TimeSpan.FromSeconds(10), url.ServerSelectionTimeout); Assert.Equal(TimeSpan.FromSeconds(7), url.SocketTimeout); - url.TlsDisableCertificateRevocationCheck.Should().Be(false); + Assert.Equal(true, url.TlsDisableCertificateRevocationCheck); Assert.Equal("username", url.Username); #pragma warning disable 618 Assert.Equal(true, url.UseSsl); diff --git a/tests/MongoDB.Driver.Tests/SslSettingsTests.cs b/tests/MongoDB.Driver.Tests/SslSettingsTests.cs index 44154bf4959..fa6877a5fa3 100644 --- a/tests/MongoDB.Driver.Tests/SslSettingsTests.cs +++ b/tests/MongoDB.Driver.Tests/SslSettingsTests.cs @@ -20,7 +20,6 @@ using System.Reflection; using System.Security.Authentication; using System.Security.Cryptography.X509Certificates; -using MongoDB.Driver; using Xunit; using FluentAssertions; @@ -51,7 +50,7 @@ private bool ServerCertificateValidationCallback( public void TestCheckCertificateRevocation() { var settings = new SslSettings(); - settings.CheckCertificateRevocation.Should().BeTrue(); + settings.CheckCertificateRevocation.Should().BeFalse(); var checkCertificateRevocation = !settings.CheckCertificateRevocation; settings.CheckCertificateRevocation = checkCertificateRevocation; @@ -116,7 +115,7 @@ public void TestClone() public void TestDefaults() { var settings = new SslSettings(); - settings.CheckCertificateRevocation.Should().BeTrue(); + settings.CheckCertificateRevocation.Should().BeFalse(); Assert.Equal(null, settings.ClientCertificates); Assert.Equal(null, settings.ClientCertificateSelectionCallback); Assert.Equal(SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls, settings.EnabledSslProtocols);