ClickHouse.Client icon indicating copy to clipboard operation
ClickHouse.Client copied to clipboard
verified publisher icon DarkWanderer

SSL certificate support added

Open vmakeev opened this issue 4 years ago • 4 comments

Required in case of using Yandex Managed Service for ClickHouse https://cloud.yandex.com/en/services/managed-clickhouse

vmakeev avatar Jun 02 '21 14:06 vmakeev

Hi,

It's possible to achieve same by using following code

            var httpClientHandler = new HttpClientHandler() { 
                AutomaticDecompression = DecompressionMethods.GZip | DecompressionMethods.Deflate,
                ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
            };
            httpClientHandler.ClientCertificates.Add(certificate);                
            var httpClient = new HttpClient(httpClientHandler);
            var connection = new ClickHouseConnection(connectionString, httpClient);

What is the value you see in adding this directly to ClickHouseConnection?

DarkWanderer avatar Jun 02 '21 14:06 DarkWanderer

An externally created HttpClient will not apply the "Timeout" setting from connection string, I would not like to parse it manually :)

What is the value you see in adding this directly to ClickHouseConnection?

jdbc-like SSL certificate configuration, "all in connection string", nothig more

jdbc:clickhouse://my-clickhouse-server:8443?ssl=1&sslmode=strict&sslrootcert=/my/path/clickhouse.crt

vmakeev avatar Jun 02 '21 20:06 vmakeev

jdbc-like SSL certificate configuration, "all in connection string", nothig more

Okay, this is a valid reason. Could you please look into the comments?

  • There must be a separate parameter to ignore server certificate check (TrustServerCertificate=true, default false)
  • Client certificate parameter name should indicate that it's a 'client' certificate
  • There should be a matching parameter for client certificate password (ClientCertificate <=> ClientCertificatePassword)
  • The certificate object needs to be disposed along with the connection

DarkWanderer avatar Jun 04 '21 13:06 DarkWanderer

The code / PR is wrong.

To use Yandex Managed Service for ClickHouse you need to add a yandex-provided CA certificate to the system certificate store, and everything will work. You don't need to use a client certificate.

If you want to mimic the behavior of JDBC connect string (using custom CA without installing the certificate to a system store) you need to use a code similar to https://www.meziantou.net/custom-certificate-validation-in-dotnet.htm

filimonov avatar Nov 23 '21 17:11 filimonov