How do you configure C# driver for client certificate auth?
586 views
Skip to first unread message
Mark Nickeson
Feb 9, 2016, 3:54:31 PM2/9/16
to DataStax C# Driver for Apache Cassandra User Mailing List
I have a working setup of client certificate auth using a 2.1.9 test server that I've configured with require_client_auth: true, truststore etc as well as setting up cqlshrc. I am able to connect successfully using "cqlsh --ssl"
However I have had no success connecting using the C# driver (3.0.1) and SSLOptions. The documentation is sparse and parallel documentation on other platforms is truststore/keystore based which does not apply to the C# driver on Windows.
Below I added the shortest code example I could. When I execute this code it generates a NoHostAvailableException in which Errors collection contains "System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
Are there any steps or configuration I am missing or misunderstanding? I would sincerely appreciate your help!
Thank you,
Mark
// prep cert (same cert as referenced within cqlshrc [ssl] userkey =
X509Certificate[] certs = new X509Certificate[]
{
new X509Certificate(certBytes, "password")
};
X509Certificate[] certs = new X509Certificate[]
{
new X509Certificate(certBytes, "password")
};
// prep SSLOptions
var options = new Cassandra.SSLOptions();
// assign certs
options.SetCertificateCollection(new X509CertificateCollection(certs));
// skip validation of remote cert (SSL)
options.SetRemoteCertValidationCallback((a1, a2, a3, a4) => true);
// custom host resolver to resolve server ip to certificate CN
options.SetHostNameResolver((internalIPAddress) =>
{
return "test_client";
});
var options = new Cassandra.SSLOptions();
// assign certs
options.SetCertificateCollection(new X509CertificateCollection(certs));
// skip validation of remote cert (SSL)
options.SetRemoteCertValidationCallback((a1, a2, a3, a4) => true);
// custom host resolver to resolve server ip to certificate CN
options.SetHostNameResolver((internalIPAddress) =>
{
return "test_client";
});
var cluster = Cassandra.Cluster.Builder()
.AddContactPoint("192.168.1.26")
.WithSSL(options)
.Build();
.AddContactPoint("192.168.1.26")
.WithSSL(options)
.Build();
try
{
var session = cluster.Connect();
Debug.WriteLine(session.BinaryProtocolVersion);
}
catch (Exception ex)
{
Debug.WriteLine(ex.ToString());
}
{
var session = cluster.Connect();
Debug.WriteLine(session.BinaryProtocolVersion);
}
catch (Exception ex)
{
Debug.WriteLine(ex.ToString());
}
Jorge Bay Gondra
Feb 10, 2016, 4:57:01 AM2/10/16
to csharp-dr...@lists.datastax.com
Hi,
Your code sample is correct, we are using .NET SslStream.AuthenticateAsClient() for server and optional client authentication.
You should try to load a X509Certificate2 (ie: using import method) and check that the issuer name, public key and other properties are loaded as expected.
You can get more detail information of the actual error at server level, on the Cassandra log file.
Jorge
--
You received this message because you are subscribed to the Google Groups "DataStax C# Driver for Apache Cassandra User Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to csharp-driver-u...@lists.datastax.com.
Mark Nickeson
Feb 11, 2016, 11:20:05 AM2/11/16
to DataStax C# Driver for Apache Cassandra User Mailing List
The solution was simple: use the X509Certificate2 class instead of X509Certificate. OMG this is why I hate programming some days.
Thank you for your help Jorge!
Mathew K
Jul 11, 2017, 5:12:15 PM7/11/17
to DataStax C# Driver for Apache Cassandra User Mailing List
Hi Mark,
Running into same issue with datastax C# driver, would it be possible to share your code please. I've tried X509Certificate2 class and keep getting the same timeouts.
Thanks
Mathew
Reply all
Reply to author
Forward
0 new messages