[CSHARP-3209] MongoUrlBuilder not Preserving ssl_ca_certs Created: 14/Sep/20  Updated: 27/Oct/23  Resolved: 21/Sep/20

Status: Closed
Project: C# Driver
Component/s: Builders
Affects Version/s: 2.11.2
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Eric Zwiebel Assignee: Dmitry Lukyanov (Inactive)
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

The MongoUrlBuilder is not preserving the ssl_ca_certs property.  The following unit tests fails.

 

[Test]
 public void MongoUrlBuilderDoesNotLooseCACerts()
 {
    var url = "mongodb://username:password@localhost:26018/?replicaSet=bla&ssl=true&ssl_ca_certs=/certs/cert.pem&connectTimeoutMS=5000000";
    var builder = new MongoUrlBuilder(url);
    var newUrl = builder.ToMongoUrl().ToString();
    Assert.IsTrue(newUrl.Contains("ssl_ca_certs"));
 }

 



 Comments   
Comment by Eric Zwiebel [ 20/Oct/20 ]

Yes, we are using the C# driver via a NuGet package reference

<PackageReference Include="MongoDB.Driver" Version="2.11.2" />

 

Comment by Dmitry Lukyanov (Inactive) [ 17/Oct/20 ]

Hello eric.zwiebel@gmail.com ,

you can find the list of options that are supported by the driver here: https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Configuration/ConnectionString.cs#L902.  All options that are not in this switch will be ignored and won't affect the driver configuration at all.

I made a quick search and found that the only driver that supports ssl_ca_certs is pymongo: https://pymongo.readthedocs.io/en/stable/api/pymongo/mongo_client.html#pymongo.mongo_client.MongoClient (it's deprecated, but supported). The C# driver doesn't support this option.

with our production system, which is doing the same thing, proves that the driver supports it.

can you confirm that you mean the system that uses c# driver?

 

But the connection string does support specifying SSL and TLS information per this documentation

it's true, there is a number of ssl/tls options that can be configured via the connection string, but not ssl_ca_certs. Also, this option is not mentioned in the mentioned doc.]

Let me know if you have any questions.

 

Comment by Eric Zwiebel [ 16/Oct/20 ]

tlsInsecure=true only disables certificate validations and is set because the sample is using self signed certs.   In fact, if you omit this you get an exception because the remote certificate fails validation.  

We have databases in qa and production, using TLS with which the following pseudo code works.  The code is reading and writing documents to the database and without these settings the code cannot connect.

 

 var url = "load from config";
 var builder = new MongoUrlBuilder(url);
 builder.Username = "load from secrets";
 builder.Password = "load from secrets";
 var newUrl = builder.ToMongoUrl().ToString() + "&ssl=true&ssl_ca_certs=/certs/cert.pem";
 
 var client = new MongoClient(newUrl);

 

If you don't want to fix the builder that's fine, we will just continue to use this hacky code as is. Maybe we will just roll our own URL builder since this isn't going to be fixed, time will tell.  

But the connection string does support specifying SSL and TLS information per this documentation and the sample provided along with our production system, which is doing the same thing, proves that the driver supports it.

  

Comment by Dmitry Lukyanov (Inactive) [ 13/Oct/20 ]

Check this connection string:

mongodb://localhost?tls=true&tlsInsecure=true

As I said before, all not supported options are ignored by the driver.

Comment by Eric Zwiebel [ 13/Oct/20 ]

I went ahead and created this sample which shows a C# client connecting to a MongoDb using the properties listed above.  The driver seems to support specifying these properties in the connection string.

Comment by Dmitry Lukyanov (Inactive) [ 09/Oct/20 ]

Hello eric.zwiebel@gmail.com , this connection string is invalid, ssl_ca_certs will be ignored during parsing connection string.

Comment by Eric Zwiebel [ 09/Oct/20 ]

The problem is that the connection string that contains ssl=true&ssl_ca_certs=/certs/cert.pem is a valid connection string, and it works when connecting to a Mongo instance without specifying the certificate via code. 

So while you say that the driver doesn't support it I'm not sure that's entirely true.  It seems the driver itself supports it but the URL builder does not.

Comment by Dmitry Lukyanov (Inactive) [ 21/Sep/20 ]

Hello eric.zwiebel@gmail.com , MongoUrl doesn't have ssl_ca_certs option, because the driver doesn't support it. So, when you call ToMongoUrl, the driver will only preserve supported options and discard everything else.
To specify a certificate, you should configure it in code via:

MongoClientSettings.SslSettings.ClientCertificates

Comment by Jeffrey Yemin [ 14/Sep/20 ]

eric.zwiebel@gmail.com

Thanks for reporting this issue. We will have a look at our next triage session.

Generated at Wed Feb 07 21:44:41 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.