我正在尝试使用证书验证通过C#驱动程序建立与MongoDB的安全连接,但出现此错误:
无法连接到服务器localhost:27017:无法从传输连接中读取数据:建立的连接已被主机中的软件中止。
这是来自MongoDB的错误:
[initandlisten] connection accepted from 127.0.0.1:26163 #2 (1 connection now open)
[conn2] ERROR: no SSL certificate provided by peer; connection rejected
[conn2] SocketException handling request, closing client connection: 9001 socket exception [CONNECT_ERROR]
当我使用证书通过mongo shell连接到MongoDB时,它将起作用。
var connectionString = "mongodb://localhost";
var clientSettings = MongoClientSettings.FromUrl(new MongoUrl(connectionString));
clientSettings.SslSettings = new SslSettings();
clientSettings.UseSsl = true;
clientSettings.SslSettings.ClientCertificates = new List<X509Certificate>()
{
new X509Certificate("cert.pem")
};
clientSettings.SslSettings.EnabledSslProtocols = SslProtocols.Default;
clientSettings.SslSettings.ClientCertificateSelectionCallback =
(sender, host, certificates, certificate, issuers) => clientSettings.SslSettings.ClientCertificates.ToList()[0];
clientSettings.SslSettings.ServerCertificateValidationCallback = (sender, certificate, chain, errors) => true;
var client = new MongoClient(clientSettings);
有谁知道如何使它工作?
意识到这已经过时了,但是为了其他人的利益...
如果您不处理证书吊销列表,则由于默认情况下已启用该设置,因此需要将其关闭。
clientSettings.SslSettings.CheckCertificateRevocation = false;
接下来,您提供给驱动程序的X509Certificate2必须包含私钥。.NET似乎没有在pem文件中拾取私钥,因此您需要提供.pfx格式的证书并包括密码。
要在openssl中创建pfx文件:
openssl pkcs12 -export -in mycert.cer -inkey mycert.key -out mycert.pfx
OpenSSL将提示您输入导出密码,在创建X509Certificate2对象时使用该密码:
X509Certificate2 cert = new X509Certificate2("mycert.pfx","mypassphrase");
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句