使用Npgsql和SSL证书身份验证时SSL错误
本文关键字:SSL 错误 身份验证 证书 使用 Npgsql | 更新日期: 2023-09-27 18:18:27
我在建立到PostgreSQL数据库的连接时遇到了问题,该数据库被配置为只接受有效的SSL证书。我可以使用pgAdmin III与适当的证书和密钥连接,但我不能让它与Npgsql一起工作。当我尝试打开到数据库的连接时,我得到System.IO.IOException: The authentication or decryption has failed。下面是我的代码:
NpgsqlConnectionStringBuilder csb = new NpgsqlConnectionStringBuilder();
csb.Database = "database";
csb.Host = "psql-server";
csb.UserName = "dreamlax"; // must match Common Name of client certificate
csb.SSL = true;
csb.SslMode = SslMode.Require;
NpgsqlConnection conn = new NpgsqlConnection(csb.ConnectionString);
conn.ProvideClientCertificatesCallback += new ProvideClientCertificatesCallback(Database_ProvideClientCertificatesCallback);
conn.CertificateSelectionCallback += new CertificateSelectionCallback(Database_CertificateSelectionCallback);
conn.CertificateValidationCallback += new CertificateValidationCallback(Database_CertificateValidationCallback);
conn.PrivateKeySelectionCallback += new PrivateKeySelectionCallback(Database_PrivateKeySelectionCallback);
conn.Open(); //System.IO.IOException: The authentication or decryption has failed
回调函数定义如下:
static void Database_ProvideClientCertificates(X509CertificateCollection clienteCertis)
{
X509Certificate2 cert = new X509Certificate2("mycert.pfx", "passphrase");
clienteCertis.Add(cert);
}
static X509Certificate Database_CertificateSelectionCallback(X509CertificateCollection clientCerts, X509Certificate serverCert, string host, X509CertificateCollection serverRequestedCerts)
{
return clienteCertis[0];
}
static AsymmetricAlgorithm Database_PrivateKeySelectionCallback(X509Certificate cert, string host)
{
X509Cerficate2 thisCert = cert as X509Certificate2;
if (cert != null)
return cert.PrivateKey;
else
return null;
}
static bool MyCertificateValidationCallback(X509Certificate certificate, int[] certificateErrors)
{
// forego server validation for now
return true;
}
我设置了断点,确认每个回调返回有效的东西,但仍然抛出IOException。
我通过修改Npgsql源代码修复了这个问题。而不是使用Mono的Mono.Security.Protocol.Tls.SslClientStream,我改为使用System.Net.Security.SslStream代替。以下是我采取的步骤:
-
修改
NpgsqlClosedState.cs:- 删除
using Mono.Security.Protocol.Tls;指令及其下面的指令。 - 添加
using System.Net.Security;指令 -
在
NpgsqlClosedState.Open()方法中,它表示if (response == 'S'),将其更改为:if (response == 'S') { //create empty collection X509CertificateCollection clientCertificates = new X509CertificateCollection(); //trigger the callback to fetch some certificates context.DefaultProvideClientCertificatesCallback(clientCertificates); // Create SslStream, wrapping around NpgsqlStream SslStream sstream = new SslStream(stream, true, delegate(object sender, X509Certificate cert, X509Chain chain, SslPolicyErrors errors) { // Create callback to validate server cert here return true; }); sstream.AuthenticateAsClient(context.Host, clientCertificates, System.Security.Authentication.SslProtocols.Default, false); stream = sstream; }
- 删除
-
修改
NpgsqlConnection.cs,删除using Mono...指令。这将导致许多关于缺失类型的错误,特别是,这些将涉及使用Mono类型的3组委托/事件组合。错误总是以三个为一组出现,因为这些回调都与Mono的SslClientStream类相关。删除每组三个,并将其替换为单个ValidateServerCertificate委托/事件。这个事件应该在上面步骤1.3中使用的SslStream类的构造函数中使用。 -
对
NpgsqlConnection.cs的更改将在其他文件NpgsqlConnector.cs,NpgsqlConnectorPool.cs等中触发更多错误,但修复是相同的,用新的ValidateServerCertificate替换3个基于mono的回调。
一旦所有这些都完成了,Npgsql可以在没有Mono组件的情况下使用,并且(对我来说)可以使用SSL证书认证。
我在github上的pull request可以在这里找到