Remote certificate name mismatch error is ignored by default

lukacsandras · January 15, 2025, 1:51pm

Using CouchbaseNetClient 3.6.4 nuget package in .NET 8.

When I’m connecting to CB using TLS, a remote certificate name mismatch error is ignored by default. However, if I assign the KvCertificateCallbackValidation delegate, the error is reported to it.

var options = new ClusterOptions
{
    ConnectionString = "...",
    EnableTls = true,
    KvIgnoreRemoteCertificateNameMismatch = false
    // etc.
};

clusterOptions.KvCertificateCallbackValidation += (sender, certificate, chain, errors) =>
{
    // if this delegate is assigned, it receives a call with errors = RemoteCertificateNameMismatch
}

var cluster = await Couchbase.Cluster.ConnectAsync(clusterOptions).ConfigureAwait(false);
await cluster.WaitUntilReadyAsync(TimeSpan.FromSeconds(15)).ConfigureAwait(false);

If I do the same with a nuget package earlier than 3.6.0, the name mismatch causes WaitUntilReadyAsync() to throw UnambiguousTimeoutException instead.

Is the client library swallowing the error on purpose?

I checked the release notes of 3.6.0 and can only see unrelated changes. There is a certificate-related change but it’s about client certificates, not server certificates.

mreiche · January 15, 2025, 6:21pm

The default callback will only ignore name mismatch when KvIgnoreRemoteCertificateNameMismatch is true. Can.you show your cluster options for certificate validation? This might be related to Jira

github.com

couchbase/couchbase-net-client/blob/d6c4e08fa152e275a9e07ecd11869c073e778e72/src/Couchbase/Core/IO/Connections/ConnectionFactory.cs#L130-L151


      
          //create the sslstream with appropriate authentication
          RemoteCertificateValidationCallback? certValidationCallback = _clusterOptions.KvCertificateCallbackValidation;
          if (certValidationCallback == null)
          {
              certValidationCallback = (sender, certificate, chain, sslPolicyErrors) =>
              {
                  if (_clusterOptions.KvIgnoreRemoteCertificateNameMismatch
                      && CertificateFactory.ValidatorWithIgnoreNameMismatch(sender, certificate, chain, sslPolicyErrors, _sslLogger, _redactor))
                  {
                      return true;
                  }
          
                  if (certs != null)
                  {
                      var customCertsCallback = CertificateFactory.GetValidatorWithPredefinedCertificates(certs, _sslLogger, _redactor);
                      return customCertsCallback(sender, certificate, chain, sslPolicyErrors);
                  }
          
                  var defaultCallback = CertificateFactory.GetValidatorWithDefaultCertificates(_sslLogger, _redactor);
                  return defaultCallback(sender, certificate, chain, sslPolicyErrors);

This file has been truncated. show original

lukacsandras · January 22, 2025, 2:20pm

This is what my ClusterOptions looks like:

return new ClusterOptions
{
    KvTimeout = TimeSpan.FromMinutes(1),
    TcpKeepAliveTime = TimeSpan.FromMinutes(4),
    QueryTimeout = TimeSpan.FromMinutes(4),
    ConnectionString = "couchbase://...",
    EnableTls = true,
    EnableTcpKeepAlives = true,
    UserName = "...",
    Password = "...",
    Serializer = new DefaultSerializer(
        deserializationSettings: new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All },
        serializerSettings: new JsonSerializerSettings { TypeNameHandling = TypeNameHandling.All, ContractResolver = new DefaultContractResolver() }),
    X509CertificateFactory = new CertificateStoreFactory(new CertificateStoreSearchCriteria
            {
                FindValue = "",
                X509FindType = X509FindType.FindBySubjectName,
                StoreLocation = StoreLocation.LocalMachine,
                StoreName = StoreName.Root,
            }
};

Topic		Replies	Views
Cluster WaitUntilReadyAsync Timeout error with servers with Certificate Mismatch .NET SDK connections	2	528	December 27, 2023
New TLS related error in SDK 3.3.0 .NET SDK	5	868	May 5, 2022
RemoteCertificateNameMismatch when establishing secure connection with 3.x sdk .NET SDK connections , sdk , dot-net	8	2245	September 1, 2021
RemoteCertificateNameMismatch error when using SSL .NET SDK dot-net	2	7552	February 26, 2016
java.security.cert.CertificateException: No name matching couchbase found when upgrading from Java SDK 2.7.11 to 3.2.4 Java SDK connections , java	6	2259	January 12, 2022

Remote certificate name mismatch error is ignored by default

Related topics