[CSHARP-3209] MongoUrlBuilder not Preserving ssl_ca_certs Created: 14/Sep/20 Updated: 27/Oct/23 Resolved: 21/Sep/20 |
|
| Status: | Closed |
| Project: | C# Driver |
| Component/s: | Builders |
| Affects Version/s: | 2.11.2 |
| Fix Version/s: | None |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Eric Zwiebel | Assignee: | Dmitry Lukyanov (Inactive) |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
The MongoUrlBuilder is not preserving the ssl_ca_certs property. The following unit tests fails.
|
| Comments |
| Comment by Eric Zwiebel [ 20/Oct/20 ] | |||||||
|
Yes, we are using the C# driver via a NuGet package reference
| |||||||
| Comment by Dmitry Lukyanov (Inactive) [ 17/Oct/20 ] | |||||||
|
Hello eric.zwiebel@gmail.com , you can find the list of options that are supported by the driver here: https://github.com/mongodb/mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Configuration/ConnectionString.cs#L902. All options that are not in this switch will be ignored and won't affect the driver configuration at all. I made a quick search and found that the only driver that supports ssl_ca_certs is pymongo: https://pymongo.readthedocs.io/en/stable/api/pymongo/mongo_client.html#pymongo.mongo_client.MongoClient (it's deprecated, but supported). The C# driver doesn't support this option.
can you confirm that you mean the system that uses c# driver?
it's true, there is a number of ssl/tls options that can be configured via the connection string, but not ssl_ca_certs. Also, this option is not mentioned in the mentioned doc.] Let me know if you have any questions.
| |||||||
| Comment by Eric Zwiebel [ 16/Oct/20 ] | |||||||
|
tlsInsecure=true only disables certificate validations and is set because the sample is using self signed certs. In fact, if you omit this you get an exception because the remote certificate fails validation. We have databases in qa and production, using TLS with which the following pseudo code works. The code is reading and writing documents to the database and without these settings the code cannot connect.
If you don't want to fix the builder that's fine, we will just continue to use this hacky code as is. Maybe we will just roll our own URL builder since this isn't going to be fixed, time will tell. But the connection string does support specifying SSL and TLS information per this documentation and the sample provided along with our production system, which is doing the same thing, proves that the driver supports it.
| |||||||
| Comment by Dmitry Lukyanov (Inactive) [ 13/Oct/20 ] | |||||||
|
Check this connection string:
As I said before, all not supported options are ignored by the driver. | |||||||
| Comment by Eric Zwiebel [ 13/Oct/20 ] | |||||||
|
I went ahead and created this sample which shows a C# client connecting to a MongoDb using the properties listed above. The driver seems to support specifying these properties in the connection string. | |||||||
| Comment by Dmitry Lukyanov (Inactive) [ 09/Oct/20 ] | |||||||
|
Hello eric.zwiebel@gmail.com , this connection string is invalid, ssl_ca_certs will be ignored during parsing connection string. | |||||||
| Comment by Eric Zwiebel [ 09/Oct/20 ] | |||||||
|
The problem is that the connection string that contains ssl=true&ssl_ca_certs=/certs/cert.pem is a valid connection string, and it works when connecting to a Mongo instance without specifying the certificate via code. So while you say that the driver doesn't support it I'm not sure that's entirely true. It seems the driver itself supports it but the URL builder does not. | |||||||
| Comment by Dmitry Lukyanov (Inactive) [ 21/Sep/20 ] | |||||||
|
Hello eric.zwiebel@gmail.com , MongoUrl doesn't have ssl_ca_certs option, because the driver doesn't support it. So, when you call ToMongoUrl, the driver will only preserve supported options and discard everything else.
| |||||||
| Comment by Jeffrey Yemin [ 14/Sep/20 ] | |||||||
|
Thanks for reporting this issue. We will have a look at our next triage session. |