5

我正在尝试使用证书验证与 C# 驱动程序建立与 MongoDB 的安全连接,但出现此错误:

无法连接到服务器 localhost:27017:无法从传输连接读取数据:已建立的连接被主机中的软件中止。

这是来自 MongoDB 的错误:

[initandlisten] connection accepted from 127.0.0.1:26163 #2 (1 connection now open)
[conn2] ERROR: no SSL certificate provided by peer; connection rejected
[conn2] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]

当我使用证书通过 mongo shell 连接到 MongoDB 时,它可以工作。

var connectionString = "mongodb://localhost";
var clientSettings = MongoClientSettings.FromUrl(new MongoUrl(connectionString));
clientSettings.SslSettings = new SslSettings();
clientSettings.UseSsl = true;
clientSettings.SslSettings.ClientCertificates = new List<X509Certificate>()
    {
        new X509Certificate("cert.pem")
    };
clientSettings.SslSettings.EnabledSslProtocols = SslProtocols.Default;
clientSettings.SslSettings.ClientCertificateSelectionCallback =
    (sender, host, certificates, certificate, issuers) => clientSettings.SslSettings.ClientCertificates.ToList()[0];
clientSettings.SslSettings.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
var client = new MongoClient(clientSettings);

有谁知道如何让这个工作?

4

3 回答 3

8

意识到这已经过时了,但为了他人的利益......

如果您不处理证书吊销列表,则需要关闭该设置,因为它默认启用。

clientSettings.SslSettings.CheckCertificateRevocation = false;

接下来,您提供给驱动程序的 X509Certificate2 必须包含私钥。.NET 似乎不会在 pem 文件中获取私钥,因此您需要提供 .pfx 格式的证书并包含密码。

在 openssl 中创建 pfx 文件:

openssl pkcs12 -export -in mycert.cer -inkey mycert.key -out mycert.pfx

OpenSSL 将提示您输入导出密码,在创建 X509Certificate2 对象时使用它:

X509Certificate2 cert = new X509Certificate2("mycert.pfx","mypassphrase");
于 2014-12-09T01:03:44.967 回答
1 

//struggled a lot to figure out this

using MongoDB.Bson;
using MongoDB.Driver;

namespace Mongo_AWS
{
    internal class Program
    {
        private static void Main(string[] args)
        {

//Mention cert file in connection string itself or put at your executable location
            string connectionString = @"mongodb://user:pwd@localhost:9999/?ssl=true&ssl_ca_certs=C:\Users\sivaram\Downloads\my.pem";

            MongoClientSettings settings = MongoClientSettings.FromUrl(new MongoUrl(connectionString));
            
            //Disable certificate verification, if it is not issued for you
            settings.VerifySslCertificate = false;
            MongoClient client = new MongoClient(settings);
            IMongoDatabase database = client.GetDatabase("test");
            IMongoCollection<BsonDocument> collection = database.GetCollection<BsonDocument>("numbers");
            System.Collections.Generic.List<BsonDocument> temp = collection.Find(new BsonDocument()).ToList();
            BsonDocument docToInsert = new BsonDocument { { "sivaram-Pi", 3.14159 } };
            collection.InsertOne(docToInsert);
        }
    }
}

于 2019-06-03T22:47:49.970 回答
0

,ssl_ca_certs = @"/path/my.pem",在连接字符串中添加了这个。

settings.VerifySslCertificate = false;

如果您从本地测试它/您有根证书但未颁发给您的机器,请使用上面的行,可能会颁发给您的生产主机。

将根证书放在绝对路径中,并直接在连接字符串中引用该路径。Mongo 驱动程序将负责读取私钥和所有内容。无需将其放在证书存储区或其他地方。

于 2019-06-05T05:38:47.487 回答