[CSHARP-1806] how do you set sslCAFile for MongoDB.Driver Created: 21/Oct/16 Updated: 05/Apr/19 Resolved: 31/Aug/18 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | Security |
| Affects Version/s: | 2.3 |
| Fix Version/s: | None |
| Type: | Task | Priority: | Major - P3 |
| Reporter: | Tim Gourley | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | driver, question | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Environment: |
windows 10, MongoDB.Driver running in service fabric app. Using connect string for driver config. |
||
| Description |
|
We have created a self-signed root CA cert, and intermediate CA cert, and a server cert with various subjectaltnames (that map to the hosts in replication) We have configured MondoDB version v3.2.10 like this -
sslPEMKeyFile does include the full chain, I have seen missing intermediate certs being a problem. The good - The bad -
The error from the client looks like this -
If we turn off certificate validation it works. I'm pretty confident it is a client side trust issue but I can't seem to figure out how to configure the client in this case. Is this a gap in functionality, documentation, or do you think running in service fabric is an issue? For the heck of it we tried adding &sslCAFile=cacerts.pem (and copied the file into the distribution at various places) but it had no effect. Any guidance would be appreciated. |
| Comments |
| Comment by Jeffrey Yemin [ 31/Aug/18 ] |
|
Sorry for dropping the ball on this. We haven't heard of any other users running into this, so I'm going to close this, but please comment back if this is still an issue for you. |
| Comment by Craig Wilson [ 02/Nov/16 ] |
|
Ok... this is the first report we've had of this not working. Underneath, we are simply using an the SslStream. We'll go ahead and double check on our side and see if we can get it to break. Craig |
| Comment by Tim Gourley [ 02/Nov/16 ] |
|
This is windows platform. (windows 10 if it matters) |
| Comment by Craig Wilson [ 02/Nov/16 ] |
|
Hi Tim, You manage trusted certificates for the .NET driver the same way you would for any .NET application. Windows contains a trusted certificate store. Now, I haven't researched how this would be done on other operating systems. Are you asking about windows or linux (or mac)? Craig |
| Comment by Tim Gourley [ 24/Oct/16 ] |
|
I've completed testing outside a service fabric environment and see the same issue. |