Message from mongodb about mongodb driver upgrade

Thursday, December 3, 2020 11:04:15 AM
  • Posted: Friday, October 23, 2020 6:12 AM
  • 22
I have received the following email from mongodb:

Hi Cédric,

You are receiving this message because you have made recent connections to your MongoDB Atlas cluster(s) from a version of the MongoDB .NET driver. This driver is susceptible to a critical availability issue that has caused customer application outages twice in the last five months.

In order to protect yourself from any impact on application availability, you must upgrade your MongoDB .NET driver to version 2.7 or newer.

You can find the technical details below. If you have questions or need assistance, please open a support case or use the chat in the Atlas UI to talk to someone on our team.

Regards,

The MongoDB Team


Technical Details
The MongoDB .NET driver from version 1.8 up to and including 2.6.1 enables OCSP revocation checking by default.  If the revocation check is not successful, the connection to your Atlas cluster will fail.  In .NET driver versions 2.7 and later, revocation checking is turned off by default.

Atlas, like most public certificate authorities, uses an OCSP responder which is designed to be a “best effort” certificate revocation mechanism. Due to this default behavior in .NET driver versions between 1.8 and 2.6, if an application:

cannot verify a certificate’s status via the OS-level OCSP cache, and
is unable for any reason to reach the OCSP responder,
the connection to Atlas will fail.

We recently became aware that some customers running the .NET driver were having issues connecting to their Atlas cluster. The issue was ultimately tracked down to OCSP revocation check failures. We are still working with our certificate authority to determine if there was an intermittent issue on their side or if this was an internet networking issue, which is why it only impacted a subset of customers.

In order to protect yourself from any impact on availability should one of these rare events occur in the future, we ask that you immediately upgrade your MongoDB .NET driver to 2.7 or a more recent generally available driver release, where the default behavior is to not perform certificate revocation checking.

If it is not possible to upgrade to the .NET driver version 2.7, the same behavior can be achieved with the instructions below:

For .NET driver versions >=1.8 but < 2.0, the fix looks like this:

var connectionString = "mongodb://localhost";  // replace localhost with atlas cluster connection string
var settings = MongoClientSettings.FromUrl(new MongoUrl(connectionString));
settings.SslSettings = new SslSettings();
settings.SslSettings.CheckCertificateRevocation = false;
settings.SslSettings.EnabledSslProtocols = System.Security.Authentication.SslProtocols.Tls11 | System.Security.Authentication.SslProtocols.Tls12;
var client = new MongoClient(settings);

For .NET driver versions 2.0 through 2.6.1, the fix looks like this:
var settings = MongoClientSettings.FromConnectionString("mongodb://localhost"); //replace localhost with atlas cluster connection string
settings.SslSettings = new SslSettings();
settings.SslSettings.CheckCertificateRevocation = false;
var client = new MongoClient(settings);
0
  • Posted: Friday, October 23, 2020 6:53 AM
  • Team
  • 776
Hi Cedric,

We've checked the version of the MongoDB Driver, and the fact is that we are using the newest version of MongoDB Driver. You can see it here, on our GitHub. Furthermore, if we check the nuget.org page, the mentioned 2.7 version was release two years ago in 2018.
Best regards,
Patryk

GrandNode Team
0
  • Posted: Friday, October 23, 2020 6:57 AM
  • 22
Thank you Patryk,

I have seen this email and copy paste just for information ;)
0
  • Posted: Saturday, October 24, 2020 9:14 AM
  • 22
I have received an email from mongodb, this is funny ;):

Hi Cédric,

We recently sent a critical advisory for users of the .NET driver earlier than version 2.7 on MongoDB Atlas.

We incorrectly included you in this send even though you are not using affected versions of the driver at this time. Please accept our apologies for the false alarm.

You can disregard the prior message with subject "MongoDB Atlas .NET driver pre-2.7 critical advisory (action required)" as you are using a newer version of the .NET driver already.

Feel free to open a support case or use the chat in the Atlas UI to talk to someone on our team if you have any further questions.

Regards,

The MongoDB Team
0
  • Posted: Monday, October 26, 2020 6:31 AM
  • Team
  • 776
And everything is clear now :)
Best regards,
Patryk

GrandNode Team
0
back to top
Filters