[英]MongoDB C# SSL Client Certificate
我正在尝试使用证书验证与C#驱动程序建立与MongoDB的安全连接,但我收到此错误:
无法连接到服务器localhost:27017:无法从传输连接读取数据:已建立的连接已被主机中的软件中止。
下面是MongoDB的错误:
[initandlisten] connection accepted from 127.0.0.1:26163 #2 (1 connection now open)
[conn2] ERROR: no SSL certificate provided by peer; connection rejected
[conn2] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]
当我通过mongo shell连接MongoDB并使用证书时它可以工作。
var connectionString = "mongodb://localhost";
var clientSettings = MongoClientSettings.FromUrl(new MongoUrl(connectionString));
clientSettings.SslSettings = new SslSettings();
clientSettings.UseSsl = true;
clientSettings.SslSettings.ClientCertificates = new List<X509Certificate>()
{
new X509Certificate("cert.pem")
};
clientSettings.SslSettings.EnabledSslProtocols = SslProtocols.Default;
clientSettings.SslSettings.ClientCertificateSelectionCallback =
(sender, host, certificates, certificate, issuers) => clientSettings.SslSettings.ClientCertificates.ToList()[0];
clientSettings.SslSettings.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
var client = new MongoClient(clientSettings);
有谁知道如何使这个工作?
意识到这已经过时但是为了别人的利益......
如果您未处理证书吊销列表,则需要关闭该设置,因为默认情况下已启用该设置。
clientSettings.SslSettings.CheckCertificateRevocation = false;
接下来,您提供给驱动程序的X509Certificate2必须包含私钥。 .NET似乎没有在pem文件中获取私钥,因此您需要提供.pfx格式的证书并包含密码。
要在openssl中创建一个pfx文件:
openssl pkcs12 -export -in mycert.cer -inkey mycert.key -out mycert.pfx
OpenSSL将提示您输出密码,在创建X509Certificate2对象时使用它:
X509Certificate2 cert = new X509Certificate2("mycert.pfx","mypassphrase");
//struggled a lot to figure out this using MongoDB.Bson; using MongoDB.Driver; namespace Mongo_AWS { internal class Program { private static void Main(string[] args) { //Mention cert file in connection string itself or put at your executable location string connectionString = @"mongodb://user:pwd@localhost:9999/?ssl=true&ssl_ca_certs=C:\\Users\\sivaram\\Downloads\\my.pem"; MongoClientSettings settings = MongoClientSettings.FromUrl(new MongoUrl(connectionString)); //Disable certificate verification, if it is not issued for you settings.VerifySslCertificate = false; MongoClient client = new MongoClient(settings); IMongoDatabase database = client.GetDatabase("test"); IMongoCollection<BsonDocument> collection = database.GetCollection<BsonDocument>("numbers"); System.Collections.Generic.List<BsonDocument> temp = collection.Find(new BsonDocument()).ToList(); BsonDocument docToInsert = new BsonDocument { { "sivaram-Pi", 3.14159 } }; collection.InsertOne(docToInsert); } } }
,ssl_ca_certs = @“/ path / my.pem”,在连接字符串中添加了这个。
settings.VerifySslCertificate = false;
如果您从本地测试它/你有根证书但没有发给你的机器,可以使用上面的行,可能会发给你的生产主机。
将根证书放在绝对路径中,并直接在连接字符串中引用该路径。 Mongo司机将负责阅读私钥和所有。 无需将其放在证书库或某处。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.