logo标签列表

使用x509证书认证从c#无法连接到MongoDB服务器

mongodbsslmongodb-.net-driverx509certificate2
3
我已按照https://docs.mongodb.com/manual/core/security-x.509/文档配置了MongoDB服务器,并使用mongo shell进行连接,一切正常。
接下来,我尝试使用C#驱动程序连接相同的服务器,但出现了超时异常。以下是我的代码:
var cert = new X509Certificate2(@"C:\Program Files\MongoDB\Server\3.2\ssl\client.pfx", "secretkey");
            var sslcrd = MongoCredential.CreateMongoX509Credential("CN=Client1,O=School,ST=Some-State,C=IN");
            settings.SslSettings = new SslSettings() ; 
            settings.UseSsl = true;
            settings.SslSettings.ClientCertificates = new List<X509Certificate>()
    {
        cert
    };
            settings.SslSettings.EnabledSslProtocols = SslProtocols.Default;
            settings.SslSettings.ClientCertificateSelectionCallback =
                (sender, host, certificates, certificate, issuers) => settings.SslSettings.ClientCertificates.ToList()[0];
            settings.SslSettings.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
            settings.SslSettings.CheckCertificateRevocation = false;
            settings.VerifySslCertificate = false;
            settings.Credentials = new[] { sslcrd };

            MongoClient client = new MongoClient(settings);
            var db = client.ListDatabases().ToList();

我查看了MongoDB服务器日志,发现以下错误:

2017-04-10T11:18:21.559+0530 I NETWORK [initandlisten] connection accepted from 127.0.0.1:53901 #64 (1 connection now open) 2017-04-10T11:18:21.559+0530 E NETWORK [conn64] no SSL certificate provided by peer; connection rejected 2017-04-10T11:18:21.560+0530 I NETWORK [conn64] end connection 127.0.0.1:53901 (0 connections now open)

我使用的是c# MongoDB.Driver版本2.3.0和MongoDB包版本3.2。
如果您有以上问题的解决方案,请回复。
2个回答
0
尽管这个帖子有点老,但我今天遇到了完全相同的问题,并在MongoDB.com网站上找到了解决方案(设置连接安全代码示例),因此在这里分享解决方案以供将来搜索使用。
基本上,设置应该从连接字符串创建,并按照以下步骤进行:
using MongoDB.Bson;
using MongoDB.Driver;
using System;
using System.IO;
using System.Threading.Tasks;
using System.Collections.Generic;
using System.Security.Cryptography.X509Certificates;
class Program
{
    static void Main(string[] args)
    {
        MainAsync().Wait();
    }
    static async Task MainAsync()
    {
        var connectionString = "mongodb+srv://<your-server.mongodb.net>/?authSource=%24external&authMechanism=MONGODB-X509&retryWrites=true&w=majority";
        var settings = MongoClientSettings.FromConnectionString(connectionString);
        settings.ServerApi = new ServerApi(ServerApiVersion.V1);
        // You will need to convert your Atlas-provided PEM containing the cert/private keys into a PFX
        // use openssl and the following line to create a PFX from your PEM:
        // openssl pkcs12 -export -in <x509>.pem -inkey <x509>.pem -out <x509>.pfx
        // and provide a password, which should match the second argument you pass to X509Certificate2
        var cert = new X509Certificate2("<path_to_pfx>", "<pfx_passphrase>");
        settings.SslSettings = new SslSettings
        {
            ClientCertificates = new List<X509Certificate>(){ cert }
        };
        var client = new MongoClient(settings);
        var database = client.GetDatabase("testDB");
        var collection = database.GetCollection<BsonDocument>("testCol");
        var docCount = collection.CountDocuments("{}");
        Console.WriteLine(docCount);
    }
}
-1

allowConnectionsWithoutCertificates的值设置为false。此外,您需要将证书和密钥文件合并。

嗨Mahdi,我在Mongo服务器中设置了上述属性,但我遇到了错误:“2017-04-10T16:09:33.171+0530 I ACCESS [conn49] Failed to authenticate CN=Client1,O=School,ST=Some-State,C=IN@$external with mechanism MONGODB-X509: AuthenticationFailed: There is no x.509 client certificate matching the user.” - Madhan Kumar
在mongo shell中启动时,我们也应该指定CA pem文件,但是在C#中我没有指定CA pem文件(我没有找到任何API来指定它),是否有任何API可以指定CA文件? - Madhan Kumar
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接