DOCSP-38207: tls/ssl (#22)

* DOCSP-38207: tls/ssl

* remove netty

Author: rustagir

source/tutorials/connect.txt

@@ -11,9 +11,10 @@ Connect to MongoDB
 .. meta::
    :keywords: code example, modify connection
 
-.. TODO .. toctree::
-..    
-..    /tutorials/connect/tls/
+.. toctree::
+
+   /tutorials/connect/tls/
+
 ..    /tutorials/connect/auth/
 ..    /tutorials/connect/compression/
 
@@ -243,4 +244,9 @@ with programmatic configuration:
      MongoClientSettings.builder()
        .addCommandListener(myCommandListener)
        .applyConnectionString(connectionString)
-       .build())
+       .build())
+
+To learn how to implement other connection features, see the following
+tutorials:
+
+- :ref:`scala-tls`

source/tutorials/connect/tls.txt

@@ -0,0 +1,250 @@
+.. _scala-tls:
+
+=======
+TLS/SSL
+=======
+
+.. facet::
+   :name: genre
+   :values: reference
+
+.. meta::
+   :keywords: code example, certificate, authenticate
+
+.. contents:: On this page
+   :local:
+   :backlinks: none
+   :depth: 2
+   :class: singlecol
+
+By default, the driver supports TLS/SSL connections to MongoDB
+servers using the underlying support for TLS/SSL provided by the JDK.
+This can be changed by utilizing the extensibility of the `Java SE
+API <https://docs.oracle.com/javase/8/docs/api/>`__.
+
+MongoClient API
+---------------
+
+You can configure the driver to use 
+TLS/SSL by specifying options in a ``ConnectionString`` or in a
+``MongoClientSettings`` instance.
+
+Specify TLS/SSL in ConnectionString
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Include the following import statements:
+
+.. code-block:: scala
+   
+   import org.mongodb.scala._
+
+To specify TLS/SSL in a ``ConnectionString``, specify ``ssl=true`` as
+part of the connection string:
+
+.. code-block:: scala
+   
+   val mongoClient: MongoClient = MongoClient("mongodb://localhost/?ssl=true")
+
+Specify TLS/SSL in MongoClientSettings
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Include the following import statements:
+
+.. code-block:: scala
+   
+   import org.mongodb.scala._
+
+To specify TLS/SSL in a ``MongoClientSettings`` instance, set the
+``enabled`` property to ``true``:
+
+.. code-block:: scala
+   
+   val settings = MongoClientSettings.builder()
+       .applyToSslSettings((builder: SslSettings.Builder) => builder.enabled(true))
+       .build()
+   val client = MongoClient(settings)
+
+Specify Java SE SSLContext in MongoClientSettings
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Include the following import statements:
+
+.. code-block:: scala
+   
+   import javax.net.ssl.SSLContext
+
+To specify the ``javax.net.ssl.SSLContext`` with
+``MongoClientSettings``, set the ``sslContext`` property:
+
+.. code-block:: scala
+   
+   val sslContext: SSLContext = ...
+   val settings = MongoClientSettings.builder()
+       .applyToSslSettings((builder: SslSettings.Builder) => {
+           builder.enabled(true)
+           builder.context(sslContext)
+       })
+       .build()
+   val client = MongoClient(settings)
+
+Disable Hostname Verification
+-----------------------------
+
+By default, the driver ensures that the hostname included in the
+server's SSL certificate matches the hostname provided when
+constructing a ``MongoClient``.
+
+If your application needs to disable hostname verification, you must
+explicitly indicate this in ``MongoClientSettings``:
+
+.. code-block:: scala
+   
+   val settings = MongoClientSettings.builder()
+       .applyToSslSettings((builder: SslSettings.Builder) => {
+           builder.enabled(true)
+           builder.invalidHostNameAllowed(true)
+       })
+       .build()
+
+Common TLS/SSL Configuration Tasks
+----------------------------------
+
+This section is based on the documentation for `Oracle JDK
+<https://www.oracle.com/java/technologies/downloads/#JDK8>`__, so some
+parts may be inapplicable to your JDK or the custom TLS/SSL
+implementation that you use.
+
+Configure Trust Store and Key Store
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You might configure trust stores and key stores specific to the
+client by using ``javax.net.ssl.SSLContext.init(KeyManager[] km,
+TrustManager[] tm, SecureRandom random)``, or you might set the JVM default
+ones.
+
+Set the Default Trust Store
+```````````````````````````
+
+A typical application will need to set several JVM system properties
+to ensure that the client can *validate* the TLS/SSL
+certificate presented by the server:
+
+- ``javax.net.ssl.trustStore``: the path to a trust store containing the
+  certificate of the signing authority
+- ``javax.net.ssl.trustStorePassword``: the password to access this
+  trust store
+
+The trust store is typically created with the ``keytool`` command-line
+program provided as part of the JDK:
+
+.. code-block:: bash
+   
+   keytool -importcert -trustcacerts -file <path to certificate authority file>
+                -keystore <path to trust store> -storepass <trust store password>
+
+Set the Default Key Store
+`````````````````````````
+
+A typical application will also need to set several JVM system
+properties to ensure that the client *presents* a TLS/SSL client
+certificate to the MongoDB server:
+
+- ``javax.net.ssl.keyStore``: the path to a key store containing the
+  clients TLS/SSL certificates
+- ``javax.net.ssl.keyStorePassword``: the password to access this key
+  store
+
+The key store is typically created with the ``keytool`` or the
+``openssl`` command-line program. For example, if you have a file with
+the client certificate and its private key, and you want to create a key
+store in the `PKCS #12 <https://www.rfc-editor.org/rfc/rfc7292>`__
+format, you can run the following command:
+
+.. code-block:: bash
+   
+   openssl pkcs12 -export -in <path to client certificate & private key file>
+                -out <path to key store> -passout pass:<trust store password>
+
+To learn more about configuring a Java application for TLS/SSL,
+refer to the `JSSE Reference Guide
+<https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html>`__.
+
+Forcing TLS v1.2
+~~~~~~~~~~~~~~~~
+
+Some applications might want to force only the TLS 1.2 protocol. To do
+this, set the ``jdk.tls.client.protocols`` system property to ``TLSv1.2``.
+
+Java runtime environments before Java 8 started to enable the TLS
+1.2 protocol only in later updates, as shown in the previous section.
+For the driver to force the use of the TLS 1.2 protocol with a Java
+runtime environment before Java 8, ensure that the update has TLS
+1.2 enabled.
+
+OCSP
+~~~~
+
+.. note::
+
+   The driver cannot enable OCSP by default on an individual
+   ``MongoClient`` basis.
+
+Client-Driven OCSP
+``````````````````
+
+An application will need to set the following JVM system and security properties to
+ensure that client-driven OCSP is enabled:
+
+- ``com.sun.net.ssl.checkRevocation``: when set to ``true``, this system
+  property enables revocation checking
+- ``ocsp.enable``: When set to ``true``, this security property enables
+  client-driven OCSP
+
+To configure an application to use client-driven OCSP, the application
+must already be set up to connect to a server using TLS. Setting these
+system properties is required to enable client-driven OCSP.
+
+.. note::
+
+   The support for TLS provided by the JDK utilizes "hard fail" behavior
+   in the case of an unavailable OCSP responder in contrast to
+   ``mongosh`` and the drivers that utilize "soft fail" behavior.
+
+OCSP Stapling
+`````````````
+
+.. important::
+
+   The following exception may occur when using OCSP stapling with Java
+   runtime environments that use the TLS 1.3 protocol (Java 11 and higher
+   use TLS 1.3 by default):
+
+   .. code-block:: none
+      
+      javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
+
+   The exception is due to a known issue with TLS 1.3 in Java 11 and
+   higher. To avoid this exception when using Java runtime environments
+   that operate on the TLS 1.3 protocol, you can force the application to use the
+   TLS 1.2 protocol. To do this, set the ``jdk.tls.client.protocols``
+   system property to ``TLSv1.2``.
+
+An application will need to set several JVM system properties to set
+up OCSP stapling:
+
+- ``jdk.tls.client.enableStatusRequestExtension``: when set to ``true``
+  (its default value), this enables OCSP stapling.
+- ``com.sun.net.ssl.checkRevocation``: when set to ``true``, this enables
+  revocation checking. If this property is not set to ``true``, then the
+  connection will be allowed to proceed regardless of the presence or
+  status of the revocation information.
+
+To configure an application to use OCSP stapling, the application must
+already be set up to connect to a server using TLS, and the server
+must be set up to staple an OCSP response to the certificate it
+returns as part of the TLS handshake.
+
+To learn more about configuring a Java application to use OCSP,
+refer to `Client-Driven OCSP and OCSP Stapling
+<https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/ocsp.html>`__
+in the Java documentation.