question

scano_183208 avatar image
scano_183208 asked Erick Ramirez edited

How do I configure the C# driver to use the correct client certificate?

When I attempt to connect to the Cassandra node with SSL via the c# driver I get a remote mismatch error. I noticed that the cluster always sends a specific cert. I went into the keystone and deleted the cert then added a new one. However, the server still seems to be sending the old cert even tho I removed it.

When I try to build the cluster, how can I ensure that the server sends the client the correct cert?

csharp driverencryption
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered joao.reis commented

@scano_183208 It sounds like you have a configuration issue and you might not have deployed the certificates correctly. Depending on what the exact error message is, you might have an issue with (a) server auth or (b) client auth.

You might need to rebuild your certificate store with the correct certificate using certmgr.msc. Or you might need to reload it if you're loading the certificate in your code. For details, see the TLS/SSL document for the C# driver.

You might also be interested in examples for configuring one-way or two-way SSL in the C# driver on GitHub. Cheers!

3 comments Share
10 |1000
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

scano_183208 avatar image scano_183208 commented ·

Hi Erick,

Thank you again for your assistance!

I tried using the example code you provided before. This is how I know I keep getting a RemoteCertificateNameMismatch Which I believe is due to my addContactPoiny() method. I’m connecting with the IP address but the certificates CN is node1. I added a subjectAltName when I signed the node.csr with the rootCA and private key of DNS:node1, IP: x.x.x.x, then, imported the new cert into the keystore and removed the old cert. But it seems that the sever is still sending over the old cert.

Would you think that my theory is correct? If so should I remove the keystore and recreated?

0 Likes 0 ·
joao.reis avatar image joao.reis scano_183208 commented ·

RemoteCertificateNameMismatch usually happens when the ServerName does not match the name on the certificate. By default the driver performs DNS reverse resolution to obtain the ServerName but if you dont have this DNS setup then you need to provide a custom resolver:

Builder.WithSSL(new SSLOptions().SetHostNameResolver(...));

I've created CSHARP-881 to add some notes about this to the C# driver documentation.

2 Likes 2 ·
Erick Ramirez avatar image Erick Ramirez ♦♦ scano_183208 commented ·

I would definitely recreate the certificate and key/trust stores. If you missed just one step in the process, your configuration is completely invalid and won't work. Cheers!

0 Likes 0 ·