使用SSL/TLS x509通过PHP访问x509

Question

在设置了所有根、链、服务器和客户端证书之后，我可以通过mongo客户机建立到mongodb的TLS X509连接。

接下来，我将已添加 x509用户grep从客户端证书中移出到$external db。

我设置了一个php测试脚本，以使用客户端证书测试来自客户端的x509登录：

<?php
$mongoClient = null;
$context = stream_context_create(
    array(
        "ssl" => array(
            "local_cert" => "/home/mshallop/code/database/ome-mongo/certsByEnv/badLatitude/intermediate/certs/dapi.cert.pem"
        )
    )
);

$options = array(
    'ssl'           =>      true,
    'username'      =>      'CN=mike@shallop.com,O=MyCompany,ST=California,C=US',
    'authSource'    =>      '$external',
    'authMechanism' =>      'MONGODB-X509'
);

try {
    $mongoClient = new MongoClient(
        '127.0.0.1',
        $options,
        array("context" => $context)
    );
} catch (MongoConnectionException $e) {
    echo $e->getMessage() . PHP_EOL;
}
if (is_null($mongoClient)) exit('mongo client is null' . PHP_EOL);
var_dump(iterator_to_array($mongoClient->atl->pgTest_tst->find().limit(1)));

在控制台上得到的结果是：

Failed to connect to: 127.0.0.1:27017: Cannot setup SSL, is ext/openssl loaded?
mongo client is null

我在单神日志中看到：

Fri Oct 16 14:35:27.165 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:34398 #11 (2 connections now open)
Fri Oct 16 14:35:27.166 W -        [conn11] DBException thrown :: caused by :: 9001 socket exception [CLOSED] for 127.0.0.1:34398

加载了openSSL扩展(php -i -i openssl)：

SSL Version => OpenSSL/1.0.1f
openssl
OpenSSL support => enabled
OpenSSL Library Version => OpenSSL 1.0.1f 6 Jan 2014
OpenSSL Header Version => OpenSSL 1.0.1f 6 Jan 2014
OpenSSL support => enabled

在PHP mongo扩展中，我看到：

mongo

MongoDB Support => enabled
Version => 1.6.10
Streams Support => enabled
SSL Support => enabled
                   Supported Authentication Mechanisms                   
MONGODB-CR => enabled
SCRAM-SHA-1 => enabled
MONGODB-X509 => enabled
GSSAPI (Kerberos) => disabled
PLAIN => disabled

Directive => Local Value => Master Value
mongo.allow_empty_keys => 0 => 0
mongo.chunk_size => 261120 => 261120
mongo.cmd => $ => $
mongo.default_host => localhost => localhost
mongo.default_port => 27017 => 27017
mongo.is_master_interval => 15 => 15
mongo.long_as_object => 0 => 0
mongo.native_long => 1 => 1
mongo.ping_interval => 5 => 5

最后一个tidbit -我尝试通过mongo客户机输入这个命令来验证客户端用户：

> db.getSiblingDB("$external").auth(
... {
... mechanism: "MONGODB-X509",
... user: "CN=mike@shallop.com,O=MyCompany,ST=California,C=US"
... }
... )
Error: 18 Username "CN=mike@shallop.com,O=MyCompany,ST=California,C=US" does not match the provided client certificate user ""
0

为了确保我创建的x509用户在几次重新启动后仍然存在，我尝试重新输入用户，得到如下结果：

> db.getSiblingDB("$external").runCommand(
... {
... createUser: "CN=mike@shallop.com,O=MyCompany,ST=California,C=US",

... roles: [ 
... { role: 'readWrite', db: 'atl' },
... { role: 'userAdminAnyDatabase', db: 'admin' }
... ],
... writeConcern : { w: "majority", wtimeout:5000 }
... }
... )
{
    "ok" : 0,
    "errmsg" : "User \"CN=mike@shallop.com,O=MyCompany,ST=California,C=US@$external\" already exists",
    "code" : 11000

我有点被困在这个point...so上了，以下是我的问题：

1. 其他一些db.getSiblingDB("$external")是什么？命令？是否有一个选项可以列出已经创建的现有外部用户--这样我就可以确保用户实际上被正确添加了？
2. 为什么在执行PHP存根之后在控制台上得到“无法设置SSL”错误？
3. 如果我不得不重新开始，我将如何删除我已经在$external表中输入的条目？

谢谢!

-迈克

PS:下面是php-stub请求中的mongo日志转储：

Fri Oct 16 15:48:44.348 I NETWORK  [initandlisten] connection accepted from 127.0.0.1:35121 #12 (2 connections now open)
Fri Oct 16 15:48:44.349 W -        [conn12] DBException thrown :: caused by :: 9001 socket exception [CLOSED] for 127.0.0.1:35121
Fri Oct 16 15:48:44.354 I -        [conn12] 
 0xf5bfc9 0xedfe6c 0xf17257 0xf17c9a 0xf17ca9 0xf17cf5 0xf0c4f8 0xf0eee7 0x7f886b15a182 0x7f8869c2147d
----- BEGIN BACKTRACE -----
{"backtrace":[{"b":"400000","o":"B5BFC9"},{"b":"400000","o":"ADFE6C"},{"b":"400000","o":"B17257"},{"b":"400000","o":"B17C9A"},{"b":"400000","o":"B17CA9"},{"b":"400000","o":"B17CF5"},{"b":"400000","o":"B0C4F8"},{"b":"400000","o":"B0EEE7"},{"b":"7F886B152000","o":"8182"},{"b":"7F8869B27000","o":"FA47D"}],"processInfo":{ "mongodbVersion" : "3.0.6", "gitVersion" : "1ef45a23a4c5e3480ac919b28afcba3c615488f2", "uname" : { "sysname" : "Linux", "release" : "3.16.0-38-generic", "version" : "#52~14.04.1-Ubuntu SMP Fri May 8 09:43:57 UTC 2015", "machine" : "x86_64" }, "somap" : [ { "elfType" : 2, "b" : "400000", "buildId" : "BF5AC37B50D416FD8D6D427E561426ED60291032" }, { "b" : "7FFD6CF7F000", "elfType" : 3, "buildId" : "EFA4172E98FE6C90166BC69E025FF58D9E646CC1" }, { "b" : "7F886B152000", "path" : "/lib/x86_64-linux-gnu/libpthread.so.0", "elfType" : 3, "buildId" : "9318E8AF0BFBE444731BB0461202EF57F7C39542" }, { "b" : "7F886AEF3000", "path" : "/lib/x86_64-linux-gnu/libssl.so.1.0.0", "elfType" : 3, "buildId" : "A20EFFEC993A8441FA17F2079F923CBD04079E19" }, { "b" : "7F886AB18000", "path" : "/lib/x86_64-linux-gnu/libcrypto.so.1.0.0", "elfType" : 3, "buildId" : "F000D29917E9B6E94A35A8F02E5C62846E5916BC" }, { "b" : "7F886A910000", "path" : "/lib/x86_64-linux-gnu/librt.so.1", "elfType" : 3, "buildId" : "92FCF41EFE012D6186E31A59AD05BDBB487769AB" }, { "b" : "7F886A70C000", "path" : "/lib/x86_64-linux-gnu/libdl.so.2", "elfType" : 3, "buildId" : "C1AE4CB7195D337A77A3C689051DABAA3980CA0C" }, { "b" : "7F886A408000", "path" : "/usr/lib/x86_64-linux-gnu/libstdc++.so.6", "elfType" : 3, "buildId" : "4BF6F7ADD8244AD86008E6BF40D90F8873892197" }, { "b" : "7F886A102000", "path" : "/lib/x86_64-linux-gnu/libm.so.6", "elfType" : 3, "buildId" : "1D76B71E905CB867B27CEF230FCB20F01A3178F5" }, { "b" : "7F8869EEC000", "path" : "/lib/x86_64-linux-gnu/libgcc_s.so.1", "elfType" : 3, "buildId" : "8D0AA71411580EE6C08809695C3984769F25725B" }, { "b" : "7F8869B27000", "path" : "/lib/x86_64-linux-gnu/libc.so.6", "elfType" : 3, "buildId" : "30C94DC66A1FE95180C3D68D2B89E576D5AE213C" }, { "b" : "7F886B370000", "path" : "/lib64/ld-linux-x86-64.so.2", "elfType" : 3, "buildId" : "9F00581AB3C73E3AEA35995A0C50D24D59A01D47" } ] }}
 mongod(_ZN5mongo15printStackTraceERSo+0x29) [0xf5bfc9]
 mongod(_ZN5mongo11DBException13traceIfNeededERKS0_+0x12C) [0xedfe6c]
 mongod(_ZN5mongo6Socket15handleRecvErrorEii+0x917) [0xf17257]
 mongod(_ZN5mongo6Socket5_recvEPci+0x6A) [0xf17c9a]
 mongod(_ZN5mongo6Socket11unsafe_recvEPci+0x9) [0xf17ca9]
 mongod(_ZN5mongo6Socket4recvEPci+0x35) [0xf17cf5]
 mongod(_ZN5mongo13MessagingPort4recvERNS_7MessageE+0xB8) [0xf0c4f8]
 mongod(_ZN5mongo17PortMessageServer17handleIncomingMsgEPv+0x327) [0xf0eee7]
 libpthread.so.0(+0x8182) [0x7f886b15a182]
 libc.so.6(clone+0x6D) [0x7f8869c2147d]
-----  END BACKTRACE  -----
Fri Oct 16 15:48:44.354 I NETWORK  [conn12] end connection 127.0.0.1:35121 (1 connection now open)

Answer 1

其他一些db.getSiblingDB("$external")是什么？命令？是否有一个选项可以列出已经创建的现有外部用户--这样我就可以确保用户实际上被正确添加了？

MongoDB文档中似乎没有引用列表；但是，我只看到$external在文档示例中用于认证命令 (即shell中的db.auth() )和用户管理(例如创建用户)。对于后者，我希望应用以下命令：https://docs.mongodb.org/manual/reference/command/nav-user-management/

为什么在执行PHP存根之后在控制台上得到“无法设置SSL”错误？

我假设您缺少了额外的SSL上下文选项。我们没有在测试套件中使用的遗留驱动程序( X509扩展)的任何mongo身份验证示例，但是新的驱动程序(mongodb扩展)有一些，比如这。扩展API有点不同，但是SSL上下文选项适用于这两个扩展。如果我不得不猜测，您可能需要指定peer_name、cafile和/或capath。请注意，verify_peer和verify_peer_name都默认为true，因此这可能与正确的CA文件失败。

如果我不得不重新开始，我将如何删除我已经在$external表中输入的条目？

由于X509不涉及外部服务器(与LDAP或Kerberos不同)，MongoDB将用户名和凭据存储在system.users集合中(可能是针对每个相关数据库)。我建议使用db.dropUser()删除用户。

Answer 2

我也有同样的想法--只要安装PHP7.1超过7.0.9，安装1.2.9，它就可以帮我解决这个问题。(我在php7.0上使用php-mongoDB1.1.5)。我找到了这个解决方案，因为它在我的笔记本电脑上工作得很好，并且在服务器上失败了。以下是升级服务器之前的内容：

On my server:
php -i | grep -i mongo
/etc/php/7.0/cli/conf.d/20-mongodb.ini,
mongodb
mongodb support => enabled
mongodb version => 1.1.5
mongodb stability => stable
libmongoc version => 1.3.3
mongodb.debug => no value => no value


on local PC:
php -i | grep -i mongo
/etc/php/7.0/cli/conf.d/20-mongodb.ini,
mongodb
MongoDB support => enabled
MongoDB extension version => 1.2.9
MongoDB extension stability => stable
libmongoc bundled version => 1.5.5
libmongoc SSL => enabled
libmongoc SSL library => OpenSSL
libmongoc crypto => enabled
libmongoc crypto library => libcrypto
libmongoc crypto system profile => disabled
libmongoc SASL => enabled
mongodb.debug => no value => no value